Cyber Dumpster-Diving: $Recycle.Bin Forensics for Windows 7 and Windows Vista
نویسنده
چکیده
Analysis of deleted files often provides useful information for the forensic computer examiner. Knowing where to find the deleted files, and how to interpret the metadata associated with the file’s deletion, make up the cornerstone of a successful forensic computer examination. Much like an office trash-can, the Microsoft Windows Recycle Bin is a temporary holding container for files that have been recently discarded (deleted) by the user. Microsoft first introduced the Recycle Bin with its Windows 95 Operating System (released in 1995). This original Recycle Bin implementation was modified for the implementations of the Windows XP Operating System (released in 2001), the Windows Vista Operating System (released in 2007) and the Windows 7 Operating System (released in 2009). Although the Windows XP Recycle Bin is well understood by the forensic examiner community, the Recycle Bins found in Windows Vista and Windows 7 are generally, significantly less understood. In this paper, The author compares and contrasts the similarities and differences of the Recycle Bin of the Windows Vista and Windows 7 Operating Systems, and the Recycle Bin of the Windows XP Operating System. In this investigation, the author pointsout the details of each implementation that are of interest for the forensic computer examiner.
منابع مشابه
Messenger Forensics on Windows Vista and Windows 7
The purpose of this study is to identify several areas of forensic interest within the Yahoo! Messenger application, which are of forensic significance. This study focuses on new areas of interest within the file structure of Windows Vista and Windows 7. One of the main issues with this topic is that little research has been previously conducted on the new Windows platforms. Previously conducte...
متن کاملMessenger Forensics on Windows Vista and Windows
The purpose of this study is to identify several areas of forensic interest within the Yahoo! Messenger application, which are of forensic significance. This study focuses on new areas of interest within the file structure of Windows Vista and Windows 7. One of the main issues with this topic is that little research has been previously conducted on the new Windows platforms. Previously conducte...
متن کاملShadow Volume Trash: $Recycle.Bin Forensics for Windows 7 and Windows Vista Shadow Volumes
According to Microsoft, over one-third of all data loss is the result of accidental file deletion or modification (Microsoft, 2003). The Volume Shadow Copy Service is a Windows operating system service that archives key data and system settings. This allows Windows 7 and Windows Vista to recover from accidental data deletion and from destabilizing events, such as a virus attack or the incorrect...
متن کاملAcquisition of Network Connection Status Information from Physical Memory on Windows Vista Operating System
A method to extract information of network connection status information from physical memory on Windows Vista operating system is proposed. Using this method, a forensic examiner can extract accurately the information of current TCP/IP network connection information, including IDs of processes which established connections, establishing time, local address, local port, remote address, remote p...
متن کاملYahoo! Messenger Forensics on Windows Vista and Windows 7
The purpose of this study is to indicate several areas of interest within the Yahoo! Messenger application that are of forensic significance. This study will mainly focus on new areas of interest within the file structure of Windows Vista and Windows 7. One of the main issues with this topic is that little research has been previously conducted on the new Windows platforms. The previously condu...
متن کامل