In nearly all digital forensics cases where a Windows computer is involved, we need to process the recycle bin for deleted files. When a file is deleted through the recycle bin on a computer with the NTFS file system several things will occur. First, the NTFS $MFT entry is updated with a new record number for a parent. Basically, that means its parent now becomes the Recycle Bin instead of it’s original location. The second thing is that the file is given a new name. Instead of the original name it now becomes named $R with six random characters and the original file extension. For example, if a file was named “dog.txt” it could become “$R24E32E.txt”. In addition, a paired administrative file is created. This administrative file starts with $I and then has the same six random characters and the original extension. So, the paired administrative file using the example above “$R24E32E.txt” would be “$I24E32E.txt”. These $I files contain a good deal of information, even when the paired $R file is overwritten.
The $I files contain:
- The original file’s size
- The date the file was sent to the recycle bin
- The original file’s full path
There aren’t any good tools that specifically parse only this information out of these file quickly, so this is why we made the Flashback Data $I File Parser. You take all of your $I files for your case (you can use your favorite forensics tool to get these) and put them in a directory. Point the program to it, set an output CSV file and it will parse all of the files into a CSV. The CSV fields outputted are: $I file name, $R file name, Size (in bytes), Date (UTC), Original path, Original File Name and MD5 hash of the $I file.
Please send any feedback by clicking here.
We hope this helps some of you make your job easier.
To Download UPDATED VERSION (2/28/2017) v0.95 click here
Unzip the file and run IFileParser.exe