Flashback Data Digital Forensics Utility

Digital Forensics Hack – $I File Parser – Free Download

Digital forensics software has come a long way in providing tools to help digital forensic examiners do their jobs more efficiently. However, when you’re performing hundreds or thousands of examinations per month, you still find yourself doing a lot of repetitive, manual work. The experts at Flashback Data have created a nifty productivity tool to simplify a standard part of almost every digital forensic examination: processing the Recycle Bin for deleted files.

Most digital forensics software can help you find and extract the digital footprints of a deleted file on a Windows computer, but analyzing the most important part of these footprints can be a real bear when there are hundreds or thousands of deleted files. Flashback Data has created a tool to batch process the administrative or “$I” files that a Windows computer creates when a file is sent to the Recycle Bin.

What the Recycle Bin Does Behind the Scenes

When a file is deleted through the recycle bin on a computer with the NTFS file system, several things will occur. First the NTFS $MFT entry is updated with a new record number for a parent. Basically, that means its parent now becomes the Recycle Bin instead of its original location. Next, the file is given a new name. Instead of the original name it now becomes named $R with six random characters and the original file extension. For example if a file was named “dog.txt” it could become “$R24E32E.txt”. In addition, a paired administrative file is created. This administrative file starts with $I and then has the same six random characters and the original extension. So, the paired administrative file using the example above “$R24E32E.txt” would be “$I24E32E.txt”. These $I files contain a good deal of information, even when the paired $R file is overwritten.

The $I files contain:

  • The original file’s size
  • The date the file was sent to the recycle bin
  • The original file’s full path

Accessing This Data

There aren’t tools that specifically parse only this information out of these files quickly, so this is why we made the Flashback Data $I File Parser. You can take all of your $I files for your case (you can use your favorite forensics tool to get these) and put them in a directory. Point the program to it, set an output CSV file and click the “Create CSV’ button.

Screenshot of Flashback Data $I File Parser

The program will parse all of the files into a CSV for you with the following fields:

  • $I file name
  • $R file name
  • Size (in bytes)
  • Date (UTC)
  • Original path
  • Original File Name
  • MD5 hash of the $I file.

Screenshot of Flashback Data $I File Parser

You can download this tool here (UPDATED VERSION 2/28/17 – V0.95). Good luck!

If you need a more in-depth forensic analysis of your data, please CONTACT US for a free consultation or CALL US AT 866-786-5700.

Related posts:

External Hard Drive Without CasingsDIY Data Recovery Versus Professionals digital-forensics-expertiseHDD vs. SSD Data Recovery Deleting DataData Recovery Myths Debunked expert repairing a hard driveHow Does Hard Drive Data Recovery Work?
3 Critical Mistakes To Avoid When Hiring A Digital Forensic Examiner Avoid These Mistakes When Hiring a Digital Forensic Examiner Options for Dealing with the Digital Forensics Backlog Options for Dealing With the Digital Forensics Backlog