TZWorks LLC
System Analysis and Programming
www.tzworks.com


TZWorks®
Windows Trash Inspection & Analysis - tia

(Version 0.36)



Information about our End User's License Agreements (EULAs)
for software on TZWorks, LLC Website www.tzworks.com

User Agreement

TZWorks LLC software and related documentation ("Software") is governed by separate licenses issued from TZWorks LLC. The User Agreement, Disclaimer, and/or Software may change from time to time. By continuing to use the Software after those changes become effective, you agree to be bound by all such changes. Permission to use the Software is granted provided that (1) use of such Software is in accordance with the license issued to you and (2) the Software is not resold, transferred or distributed to any other person or entity. Refer to your specific EULA issued to for your specific the terms and conditions. There are 3 types of licenses available: (i) for educational purposes, (ii) for demonstration and testing purposes and (iii) business and/or commercial purposes. Contact TZWorks LLC (info@tzworks.com) for more information regarding licensing and/or to obtain a license. To redistribute the Software, prior approval in writing is required from TZWorks LLC. The terms in your specific EULA do not give the user any rights in intellectual property or technology, but only a limited right to use the Software in accordance with the license issued to you. TZWorks LLC retains all rights to ownership of this Software.

Export Regulation

The Software is subject to U.S. export control laws, including the U.S. Export Administration Act and its associated regulations. The Export Control Classification Number (ECCN) for the Software is 5D002, subparagraph C.1. The user shall not, directly or indirectly, export, re-export or release the Software to, or make the Software accessible from, any jurisdiction or country to which export, re-export or release is prohibited by law, rule or regulation. The user shall comply with all applicable U.S. federal laws, regulations and rules, and complete all required undertakings (including obtaining any necessary export license or other governmental approval), prior to exporting, re-exporting, releasing, or otherwise making the Software available outside the U.S.

Disclaimer

The user agrees that this Software made available by TZWorks LLC is experimental in nature and use of the Software is at user's sole risk. The Software could include technical inaccuracies or errors. Changes are periodically added to the information herein, and TZWorks LLC may make improvements and/or changes to Software and related documentation at any time. TZWorks LLC makes no representations about the accuracy or usability of the Software for any purpose.

ALL SOFTWARE ARE PROVIDED "AS IS" AND "WHERE IS" WITHOUT WARRANTY OF ANY KIND INCLUDING ALL IMPLIED WARRANTIES AND CONDITIONS OF MERCHANTABILITY, FITNESS FOR ANY PARTICULAR PURPOSE, TITLE AND NON-INFRINGEMENT. IN NO EVENT SHALL TZWORKS LLC BE LIABLE FOR ANY KIND OF DAMAGE RESULTING FROM ANY CAUSE OR REASON, ARISING OUT OF IT IN CONNECTION WITH THE USE OR PERFORMANCE OF INFORMATION AVAILABLE FROM THIS SOFTWARE, INCLUDING BUT NOT LIMITED TO ANY DAMAGES FROM ANY INACCURACIES, ERRORS, OR VIRUSES, FROM OR DURING THE USE OF THE SOFTWARE.

Removal

The Software are the original works of TZWorks LLC. However, to be in compliance with the Digital Millennium Copyright Act of 1998 ("DMCA") we agree to investigate and disable any material for infringement of copyright. Contact TZWorks LLC at email address: info@tzworks.com, regarding any DMCA concerns.


About the tia Tool (top)

tia is a command line version of a tool to parse Windows recycle bin artifacts. The tool was designed to work with the different versions of recycle bin formats from WinXP to Win10. The reports generated are various flavors of CSV output to allow maximum flexibility in exporting the results to a spreadsheet or another database.

To use this tool, an authentication file is required to be in the same directory as the binary in order for the tool to run.

Background

In Windows, when a user deletes a file, the operating system renames the file and then puts it into a temporary directory. It stays in the temporary directory until the trash is emptied. During the deletion process and under the covers, Windows creates another companion file that contains the metadata associated with the deleted file. This metadata contains the deletion time along with the path/name of the file or folder that was deleted.

The temporary folder that stores the deleted entry and its associated metadata is located in the Recycle Bin directory. For Windows XP, this root directory is the Recycler folder and the target file containing the metadata is the info2 file. Each account on the machine has its own subfolder. This subfolder has its name defined by the SID (or Security Identifier) for the user account. For example when looking at the C: drive, it would be C:\Recycler\{account SID}\info2.

For Windows Vista and later, the root directory is the $Recycle.Bin folder and the metadata files are the ones prefixed with the characters $I followed by some random characters. (which are also located in each respective account).

From a forensics standpoint, parsing the metadata in these files allows one to view which and when files and/or folders were deleted, and from the trash subdirectory, which user account was responsible for the deletion.


Usage (top)

The tia tool is flexible in that it allows one to process trash artifacts from a number of sources. For example, one can: (a) parse an individual recycle bin metadata file, (b) target a recycle bin directory on a specified volume, (c) scan/carve the entire volume for recycle bin metadata information, or (d) process recycle bin metadata in an offline manner by feeding in artifacts into STDIN (standard nput). Below is the menu with the various options. Details of each option can be found here.

    Usage

       tia -file <file>
       dir c:\$recycle.bin\$I* /b /s /a | tia -pipe [options]
       tia -partition <letter> [options]
       tia -image <dd image> [-offset <vol offset>] [options] = ***
       tia -enumdir c:\$recycle.bin; -num_subdirs 5 -filter "$I*" [options]

     Basic Options
      -csv                         = comma separated value output
      -csvl2t                      = log2timeline output

     Additional Options
      -dateformat mm/dd/yyyy       = "yyyy-mm-dd" is the default
      -timeformat hh:mm:ss         = "hh:mm:ss.xxx" is the default
      -no_whitespace               = remove whitespace between csv delimiter
      -csv_separator "|"           = change csv delimiter to a pipe char
      -pipe                        = pipe specially named files to process
      -filter <*partial*|*.ext>    = filters stdin data from -pipe option

     Experimental Options
      -mftscan                     = scan $MFT entries [default option for images]
      -rawscan [-cluster_size <#>] = scan each cluster [slow]; use with -image
      -include_vss_clusters        = scan VSS clusters [use w/ -mftscan]
      -include_unalloc_clusters    = scan unalloc clusters [use w/ -mftscan]

The first two options shown above (-file and -pipe) are used if desiring to parse individual. If one has a collection of recycle bin metadata files that are desired to be processed offline, then the -pipe option is the best option, since it will rip through all the subdirectories parsing out each file in turn.

If one wants to operate on a live system, one can just use the -partition option and specify the drive letter. tia will automatically scan the proper recycle bin artifacts and parse those on the specified volume.

The last main category is the -image option, which is used to target 'dd' images of volumes or any chunk of data. For those cases where a 'dd' image of an entire drive is present, one can use the -offset parameter to specify the offset of the volume to target on the drive. On the other hand, if one desires to scan a blob of data, then the only constrains are: (a) the data is not encrypted, (b) the data is not compressed, and (c) the data is aligned on cluster boundaries. In this mode, tia will scan each cluster and just look for trash artifact signatures and parse any it finds.

Other Scan Types

The basic scan types are to target the recycle bin directory and parse any artifact data. In addition to the artifacts in this directory, there are other areas that can be scanned as well. For example, one can sometimes find recycle bin artifacts that have been flushed from the recycle bin directory (eg. permanently deleted), but their clusters have not been overwritten yet. There are 3 main sources for these deleted artifacts: (a) the MFT entry listing which may have an 'unrecycled' MFT entry that contains a deleted recycle bin artifact [-mftscan], (b) the Volume shadow store has clusters that may contain prior snapshots with trash data (embedded in the $MFT file record) [-include_vss_clusters], and (c) any unallocated clusters [-include_unalloc_cluster].

The two main alternate scan types are: (a) -mftscan and (b) -rawscan. When using one of these scan types, tia will report the offset the trash metadata ws found at.

The -mftscan option looks at all the $MFT data and examines all the MFT file records for recycle bin signatures. Because of the parent child relationship data available in the $MFT data, this scan allows tia to also build the path of where it located the info2 or $I file from, which can be useful. This allows the user account to be determined, by analyzing the subfolder containing the SID.

The -rawscan option is a cluster based scan with a twist. It will traverse each cluster and see if there is a signature at the start of the cluser with a recycle bin entry. Secondarily, it will also see if any MFT file records are within the cluster (at the MFT file record boundary). This second scan is to check if there are any recycle bin data within the resident data of the MFT entry. In the default mode, the tool looks at the internals fo the volume to try to determine the cluster size to use. If the tool cannot find the cluster size this way (and one is not explicitly specified), then it will use the common 4096 byte chunk as the size. To force a different cluster size, one can use the sub-option -cluster_size <#>. Finally, one should keep in mind, since this scan option looks at each cluster, it is the slowest of the scanning options.

Volume Shadow Copies

When using the -include_vss_clusters option, tia will locate the Volume Shadow Stores and their respective cluster runs. From this list, the tool will then run in semi-rawscan mode by analyzing each of the clusters for signature types associated with recycle bin artifacts.

As a point of clarification, tia will not try to reconstruct the VSS volume and the various snapshots over time, but will do a brute force scan on the raw clusters associated with the shadow store. The results will be annotated so the analyst can see which entry cam from which shadow store along with the image offset.

Reports

All the reports use some form of a single license per entry, where each field is separated by a delimiter of your choice. For the scan options that go outside the trash directory, such as -mftscan, -include_vss_cluster, etc, then the offset is also annotated with the results so the analyst can review the raw data if desired.

For other output options, such as HTML, JSON, or SQLite, refer to the csvdx tool from TZWorks, which can take the output from tia (or any other TZWorks tool) and reformat the output to one of those listed


List of options (top)

Option Description
-file Specifies the file to parse. Syntax is -file <filename>
-pipe Used to pipe files into the tool via STDIN (standard input). Each file passed in is parsed in sequence.
-enumdir Experimental. Used to process files within a folder and/or subfolders. Each file is parsed in sequence. The syntax is -enumdir <"folder"> -num_subdirs <#>.
-partition Windows option only. Extracts artifacts from a mounted Windows volume. The syntax is -partition <drive letter>
-image Extracts artifacts from a Windows volume specified by an image and volume offset. The syntax is: -image <filename> -offset <volume offset>
-filter Filters data passed in via STDIN via the -pipe option. The syntax is -filter <"*.ext|*partialname*|...">. The wildcard character '*' is restricted to either before the name or after the name.
-csv Outputs the data fields delimited by commas. Since filenames can have commas, to ensure the fields are uniquely separated, any commas in the filenames get converted to spaces.
-csvl2t Outputs the data fields in accordance with the log2timeline format.
-no_whitespace Used in conjunction with -csv option to remove any whitespace between the field value and the CSV separator.
-csv_separator Used in conjunction with the -csv option to change the CSV separator from the default comma to something else. Syntax is -csv_separator "|" to change the CSV separator to the pipe character. To use the tab as a separator, one can use the -csv_separator "tab" OR -csv_separator "\t" options.
-dateformat Output the date using the specified format. Default behavior is -dateformat "yyyy-mm-dd". Using this option allows one to adjust the format to mm/dd/yy, dd/mm/yy, etc. The restriction with this option is the forward slash (/) or dash (-) symbol needs to separate month, day and year and the month is in digit (1-12) form versus abbreviated name form.
-timeformat Output the time using the specified format. Default behavior is -timeformat "hh:mm:ss.xxx" One can adjust the format to microseconds, via "hh:mm:ss.xxxxxx" or nanoseconds, via "hh:mm:ss.xxxxxxxxx", or no fractional seconds, via "hh:mm:ss". The restrictions with this option is that a colon (:) symbol needs to separate hours, minutes and seconds, a period (.) symbol needs to separate the seconds and fractional seconds, and the repeating symbol 'x' is used to represent number of fractional seconds.
-quiet This option suppresses any intermediate progress during a session run
-mftscan Scan each MFT entry in the $MFT for recycle bin metadata artifacts. Also, scans the Volume shadows, if accessible.
-rawscan Scan each cluster for recycle bin metadata signatures. If found they are carved and parsed. Since this is a cluster based scan, there is a sub-option -cluster_size to force the search to use the specified boundary. The value given needs to be consistent with the cluster sizes available for Windows. Without specifying a cluster size, the tool will try to determine the proper boundary by looking at the internals of the volume. For the scan to be effective, the cluster data cannot be encrypted or compressed.
-include_vss_clusters Scan Volume Shadow Store clusters for any recycle bin metadata artifacts.
-include_unalloc_clusters Scan unallocated clusters for any recycle bin metadata artifacts.
-utf8_bom All output is in Unicode UTF-8 format. If desired, one can prefix an UTF-8 byte order mark to the CSV output using this option.

Authentication and License File (top)

This tool has authentication built into the binary. The primary authentication mechanism is the digital X509 code signing certificate embedded into the binary (Windows and macOS).

The other mechanism is the runtime authentication, which applies to all the versions of the tools (Windows, Linux and macOS). The runtime authentication ensures that the tool has a valid license. The license needs to be in the same directory of the tool for it to authenticate. Furthermore, any modification to the license, either to its name or contents, will invalidate the license.

Limited versus Demo versus Full in the tool's output banner

The tools from TZWorks will output header information about the tool's version and whether it is running in limited, demo or full mode. This is directly related to what version of a license the tool authenticates with. The limited and demo keywords indicates some functionality of the tool is not available, and the full keyword indicates all the functionality is available. The lacking functionality in the limited or demo versions may mean one or all of the following: (a) certain options may not be available, (b) certain data may not be outputted in the parsed results, and (c) the license has a finite lifetime before expiring.


Version history (top)


References (top)

  1. "Cyber Dumpster-Diving: $Recycle.Bin Forensics for Windows 7 and Windows Vista", Paper by Timothy R. Leschke, US DoD Cyber Crime Institute
  2. "Once Upon a Time in Recycle Bin", http://4n6xplorer.com/forensics/once-upon-a-time-in-recycle-bin/
  3. The Forensic Analysis of the Microsoft Windows Vista Recycle Bin, by Mitchell Machor, 1/22/2008