How to copy the INFO2 file in the Recycle Bin
mark
I am new to computer forensics and looking for some in analyzing the
INFO2 file on a WinXP system. I know that the file is hidden. What I
am trying to find out is how to copy or move or locate the file on the
Winxp system so I can port it over to a linux system and run any of the
various tools against it. Again I can see it in c:\recycler\SID
-*--*.... But how can I move it to either an external media or netcat?
Thanks for your help in advance.
Mark
dtabone
I am not sure I understand your difficulty however if you want to copy
over the file to an external device such as a pendrive, what you need
to do is ATTRIB -S -H -R INFO2 in the folder of where you see INFO2.
That should allow you to copy it to another location.
Bear in mind that only original full name and path stored in this
mapping file <Info2>
Hope it helps!
D.
Subby
To do a correct analysis of the files you probably should have done a direct copy of the media before you began. If this is case is going to be persued at a further level I would recommend that you stop, disk image and then proceed to analyse with something like encase or maybe even a linux distribution such as helix.
You can analyse the files there further
Cheers
Matt
mark
Thanks. Yes, I would image the system, then pipe it over to a linux
box. From there I could mount that image, but what do I use to read
the INFO2 file? I read about using a hexeditor, but when I go to
"open" a file it will not be listed. With Helix, how can I find the
INFO file on the copied image?
thanks for your help in advance.
mark
Subby
Hi Mark,
For this one I am going to make a bunch of assumptions, so if I get something
wrong please bear with me. I am assuming that you for this exercise that the
system that requires analysis is a Windows XP box with Svc Pk 2, although the
process should be similar to most XP based systems. (If it's not I would be
extremely surprised).
Once the device has been imaged :), mount the image and within your favourite analysis environment change to the drive in which you are interested.
Once in the drive change to the directory RECYCLER.
and look for a folder that should look like:
S-1-5-21-(a whole bunch of numbers)-(a whole bunch of numbers)-(a whole bunch of numbers)-(a whole bunch of numbers)
change into this folder, it is quite possible that there may be many of these folders.Once in the folder look for the file INFO2 and review the file.
Alternatively... - *** Other option ***
Using your DOS prompt execute the following commands
* Change into the root folder of the system by issuing the command
cd \
* Change into the directory RECYCLER by issuing the command
cd RECYCLER
* To see all the entities within this location use the following command
dir /a
* Change into the identified directories by issuing the command
cd S-1-5-21-(a whole bunch of numbers)-(a whole bunch of numbers)-(a whole bunch of numbers)-(a whole bunch of numbers)
* Or use the command below to see the contents of all of the subdirectories
dir /s/a
* Once you see the file INFO2 use the "type" command to show the contents
type INFO2
* If you want this output directed to another place then use the IO redirection commands to move it to somewhere else ( if this is not the original image :D )
type INFO2 > c:\analysis.txt
Hope this helps, let me know if you have any other questions
Matt
subscape
forensically correct, making the results that are gathered from this
medium totally unreliable in court, as without a write blocking device
the underlying device information will change.
Matt