« previous next »
Pages: [1]

Topic: Retrieve Files from offline Recycle Bin with PE  (Read 1041 times)

Retrieve Files from offline Recycle Bin with PE
« on: July 05, 2019, 08:00:35 PM »

bob.omb

  • Code Baker
  • Grand Chef
  • *****
  • Location: USA
  • Date Registered: Jul 2017
  • Posts: 1261
Has anyone ever seen this performed?  :confused:  As the title states I am looking for a way to access files inside an offline Windows installations Recycle Bin.

I can see the $RecycleBin folder at the root of the offline system, but there are several RecycleBin's inside which all contain nothing.
Re: Retrieve Files from offline Recycle Bin with PE
« Reply #1 on: July 05, 2019, 08:20:11 PM »

James

  • Grand Chef
  • *****
  • Location: USA
  • Date Registered: Dec 2017
  • Posts: 2272
Here is some additional info about that
If I delete PE files while in PE and reboot - the Bin is emptied..
if I delete Host files while in PE and reboot - the bin is NOT emptied..

I assume the Bin does not Contain the deleted File - but a Marker to the hidden file
Re: Retrieve Files from offline Recycle Bin with PE
« Reply #2 on: July 06, 2019, 12:08:52 AM »

slore

  • WimBuilder
  • Sr. Chef
  • ****
  • Date Registered: Jun 2016
  • Posts: 664
The folders in $RecycleBin is user's SID.

I can see the file which ones I deleted.

D:\$RECYCLE.BIN>dir /b /s /a-d
D:\$RECYCLE.BIN\S-1-5-21-985247172-2772233126-3468038988-1001\$I08E7PE.bat
D:\$RECYCLE.BIN\S-1-5-21-985247172-2772233126-3468038988-1001\$I0IZ9YD.bat
D:\$RECYCLE.BIN\S-1-5-21-985247172-2772233126-3468038988-1001\$I1MD6D6.png
D:\$RECYCLE.BIN\S-1-5-21-985247172-2772233126-3468038988-1001\$I25YO2X.bat
D:\$RECYCLE.BIN\S-1-5-21-985247172-2772233126-3468038988-1001\$I2BNJ7L.bat
D:\$RECYCLE.BIN\S-1-5-21-985247172-2772233126-3468038988-1001\$I2NE9I6.jcfg
D:\$RECYCLE.BIN\S-1-5-21-985247172-2772233126-3468038988-1001\$I2QI3QH.cpp
D:\$RECYCLE.BIN\S-1-5-21-985247172-2772233126-3468038988-1001\$I2SEZQ4.h
D:\$RECYCLE.BIN\S-1-5-21-985247172-2772233126-3468038988-1001\$I3NA8UE.png
D:\$RECYCLE.BIN\S-1-5-21-985247172-2772233126-3468038988-1001\$I404FC6.js
D:\$RECYCLE.BIN\S-1-5-21-985247172-2772233126-3468038988-1001\$I4LFUN5.bat
D:\$RECYCLE.BIN\S-1-5-21-985247172-2772233126-3468038988-1001\$I5KWL2Q.js
D:\$RECYCLE.BIN\S-1-5-21-985247172-2772233126-3468038988-1001\$I5MPD7P.bat
D:\$RECYCLE.BIN\S-1-5-21-985247172-2772233126-3468038988-1001\$I5N78ES.cmd
D:\$RECYCLE.BIN\S-1-5-21-985247172-2772233126-3468038988-1001\$I6QFN7L.js
...


rename the folders name with SID in PE? (copy $RECYCLE.BIN to new disk drives)

or clone offline system's HKLM\SECURITY\SAM, HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList to PE,
and logon with the same user? (I don't try...)

Try some delete recover tools maybe easy for that.

Re: Retrieve Files from offline Recycle Bin with PE
« Reply #3 on: July 06, 2019, 03:09:54 AM »

bob.omb

  • Code Baker
  • Grand Chef
  • *****
  • Location: USA
  • Date Registered: Jul 2017
  • Posts: 1261
I can see them during the copy process but otherwise before and after they are invisble..

I may try to make a tool that grabs the contents, although I am a bit worried about playing with attributes or permissions and negatively impacting the host.  I have never seen a use for this yet.. But I thought it was an interesting question, someone asked me today IRL..

Re: Retrieve Files from offline Recycle Bin with PE
« Reply #4 on: July 06, 2019, 03:57:33 PM »

SIW2

  • Code Baker
  • Chef
  • ***
  • Date Registered: Jul 2012
  • Posts: 197
Diskgenius is one way.
Pages: [1]
« previous next »
 
Powered by EzPortal