Trash Inspection & Analysis (tia)

Introduction

tia is a command line version of a tool to parse Windows recycle bin artifacts. The tool was designed to work with the different versions of recycle bin formats from WinXP to Win10. The reports generated are various flavors of CSV output to allow maximum flexibility in exporting the results to a spreadsheet or another database.

Background

In Windows, when a user deletes a file, the operating system renames the file and then puts it into a temporary directory. It stays in the temporary directory until the trash is emptied. During the deletion process and under the covers, Windows creates another companion file that contains the metadata associated with the deleted file. This metadata contains the deletion time along with the path/name of the file or folder that was deleted.

The temporary folder that stores the deleted entry and its associated metadata is located in the Recycle Bin directory. For Windows XP, this root directory is the Recycler folder and the target file containing the metadata is the info2 file. Each account on the machine has its own subfolder. This subfolder has its name defined by the SID (or Security Identifier) for the user account. For example when looking at the C: drive, it would be C:\Recycler\{account SID}\info2.

For Windows Vista and later, the root directory is the $Recycle.Bin folder and the metadata files are the ones prefixed with the characters $I followed by some random characters. (which are also located in each respective account).

From a forensics standpoint, parsing the metadata in these files allows one to view which and when files and/or folders were deleted, and from the trash subdirectory, which user account was responsible for the deletion. Below is a screenshot of the two types of trash directory structures for Windows. The first is for WinXP and the second applies to Vista on up to Win10. The highlighted areas in red are the file types that tia processes.

recycle bin directory

Usage

The tia tool is flexible in that it allows one to process trash artifacts from a number of sources. For example, one can: (a) parse an individual recycle bin metadata file, (b) target a recycle bin directory on a specified volume, (c) scan/carve the entire volume for recycle bin metadata information, or (d) process recycle bin metadata in an offline manner by feeding in artifacts into STDIN (standard nput).

Below is the menu with the various options:

tia menu options

The basic scan types are to target the recycle bin directory and parse any artifact data. In addition to the artifacts in this directory, there are other areas that can be scanned as well. For example, one can sometimes find recycle bin artifacts that have been flushed from the recycle bin directory (eg. permanently deleted), but their clusters have not been overwritten yet. There are 3 main sources for these deleted artifacts: (a) The MFT entry listing which may have an 'unrecycled' MFT entry that contains a deleted recycle bin artifact [-mftscan], (b) The Volume shadow store has clusters that may contain prior snapshots with trash data (embedded in the $MFT file record) [-include_vss_clusters], and (c) any unallocated clusters [-include_unalloc_cluster].

Reports

All the reports use some form of a single license per entry, where each field is separated by a delimiter of your choice.

For the scan options that go outside the trash directory, such as the -mftscan, -include_vss_clusters, etc, then the offset is also annotated to the output so the analyst can review the raw data if desired.

For other output options, such as HTML, JSON, or SQLite, refer to the csvdx tool from TZWorks, which can take the output from tia (or any other TZWorks tool) and reformat the output to one of those listed

recycle bin directory

For more information

The user's guide can be viewed here

If you would like more information about tia, contact us via email.

Downloads

32-bit Version64-bit Version
Windows:tia32.v.0.18.win.ziptia64.v.0.18.win.zipmd5/sha1
Linux:tia32.v.0.18.lin.tar.gztia64.v.0.18.lin.tar.gzmd5/sha1
Mac OS X:tia.v.0.18.osx.tar.gztia.v.0.18.osx.tar.gzmd5/sha1
*32bit apps can run in a 64bit linux distribution if "ia32-libs" (and dependencies) are present.