Course 36 - Windows Forensics and Tools | Episode 10: Decoding Metadata and File Internals - CyberCode Academy

Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Speaker 1 (00:00):
So picture a corporate embezzler sitting in a dimly lit
office late at night.

Speaker 2 (00:06):
Oh, setting the scene right away.

Speaker 1 (00:08):
Yeah, I mean, we've got it. So they've just transferred
the last of the illicit funds, right, and now it's
time to cover their tracks, right, they find the master spreadsheet,
rite click and hit delete, and then just to be
you know, absolutely certain, they right click that little trash
can icon on their desktop and hit empty the classic
double tap exactly. The screen blinks, the icon goes from

(00:29):
full to empty, and in their mind that document is
just vaporized, like it's a digital magic trick and they
are a ghost.

Speaker 2 (00:37):
Yeah. It's a very comforting illusion for the user, honestly.
I mean, the whole interface is designed to make you
feel like you just tossed a physical document into an incinerator.

Speaker 1 (00:45):
That's not what's happening at all.

Speaker 2 (00:46):
Is it not even close? From an architectural standpoint. The
operating system hasn't actually destroyed anything. It's simply been quietly
building this meticulously structured dossier behind the scenes.

Speaker 1 (00:58):
Which really brings us to the core emission of our
deep dive today, because for anyone working in programming or
cybersecurity or digital forensics. That empty trash can is absolutely
not a dead end.

Speaker 2 (01:11):
Oh no, it's a gold mine. Right.

Speaker 1 (01:13):
So we are venturing into the hidden mechanics of the
Windows operating system today to basically dismantle that magic trick.
We're going to explore the underlying architecture of the recycle bin.

Speaker 2 (01:24):
Yeah, and we'll look at how the system actively manages deleted.

Speaker 1 (01:26):
Files exactly, and uncover how investigators extract just this massive
amount of hidden data from pointers and metadata that well
most users assume are completely gone.

Speaker 2 (01:39):
Because that disconnect between user expectation and system reality, that's
what makes this such a compelling area to study.

Speaker 1 (01:45):
So true.

Speaker 2 (01:46):
I mean, when someone hits delete, the standard deletion processes
don't permanently eradicate the binary data on the hard drive.
They just move it, right, Yeah, exactly. The operating system
just moves the file to a hidden system folder and
updates its internal pointers.

Speaker 1 (01:59):
So the physical ones and zeros making up that file, they're.

Speaker 2 (02:02):
Still perfectly intact. They're occupying the exact same physical sectors
on the disc.

Speaker 1 (02:08):
Okay, but power users, and I know a lot of
you listening are power users. You know, there's a bypass
built into the.

Speaker 2 (02:14):
Os AH the shift delete.

Speaker 1 (02:16):
Yes, holding down the shift key while hitting delete. That
skips the recycle bin entirely.

Speaker 2 (02:22):
It does change the behavior. Yeah, but I want to
be clear. It still doesn't instantly wipe the drive.

Speaker 1 (02:27):
Wait, really it doesn't.

Speaker 2 (02:28):
No, it just bypasses that hidden system holding folder. What
it does is it severs the primary pointer to the
file and flags that specific physical space on the hard
drive as well unallocated.

Speaker 1 (02:41):
Okay, so it's basically telling the operating system, hey, this
space is now available for new data to be written
over it precisely.

Speaker 2 (02:48):
But until that override actually happens, which could be minutes
or months, the.

Speaker 1 (02:52):
Original data is just sitting there in.

Speaker 2 (02:53):
The dark exactly. It's just sitting there waiting to be overwritten.

Speaker 1 (02:57):
Wow. Okay. So, barring a shift delete, standard delution relies
on this hidden system directory to hold the files in limbo.
But the structure and location of that holding area hasn't
exactly been static over the years, has it.

Speaker 2 (03:11):
No, not at all. It's undergone several major evolutions.

Speaker 1 (03:15):
So if we are tracking an artifact across different areas
of hardware, where exactly is the operating system stashing these files?

Speaker 2 (03:24):
Well, it mirrors the shift from older simpler file systems
too much more complex multi user environments. So if we
look back at older systems running Windows ninety five ninety eight.

Speaker 1 (03:35):
Me seaking us way back.

Speaker 2 (03:36):
Yeah, the holding area was a hidden folder on the
root of the drive, and it was simply called.

Speaker 1 (03:40):
Recycled, just recycled, no special characters or anything.

Speaker 2 (03:43):
Just recycled. But then as operating systems matured and moved
toward the NT architecture, so we're talking Windows NT two thousand.

Speaker 1 (03:50):
XP naming convention shifted.

Speaker 2 (03:52):
Right, it updated to recycler. But the really significant architectural shift,
the one that matters most to us today, happened with
the introduction of Windows.

Speaker 1 (03:59):
Vista, and that carried through Windows seven eight and Windows ten.

Speaker 2 (04:02):
Right, yes, exactly. The hidden folder was renamed to dollar
sign recycle dot bin.

Speaker 1 (04:08):
So recycle dot bin, and that progression from just recycled
to recycle dot bin. That kind of tracks with the
OS becoming way more sophisticated about user profiles.

Speaker 2 (04:17):
Right, Oh, absolutely. Think about the Windows ninety five days,
a family or a small office usually shared one single
desktop environment. Everyone just logged into.

Speaker 1 (04:27):
The same screen, right, There was no user separation.

Speaker 2 (04:29):
Yeah, but modern Windows environments are built for multiple concurrent users.
So if you have an enterprise machine shared by five
different employees and they're all deleting files, they.

Speaker 1 (04:39):
Aren't just dumping their data into one massive communal pile
inside that recycled dot binfolder.

Speaker 2 (04:44):
They absolutely are not. And this is where the filesystem
becomes highly organized.

Speaker 1 (04:48):
So what does it do inside that folder?

Speaker 2 (04:50):
Well, inside the recycle dot binfolder, the OS automatically generating subdirectories.
But these subdirectories aren't named, you know, User A or
User B.

Speaker 1 (04:58):
They're named using sids. Right, Security identifiers.

Speaker 2 (05:01):
We got it sids.

Speaker 1 (05:02):
And for anyone who has dug into Windows permissions before,
you know, the SID is that long alphanumeric string the
OS uses to uniquely identify a specific user account or group.

Speaker 2 (05:13):
Right, So the system creates a dedicated path essentially recycledt
bin slash and then the SID for every single user
who deletes a file.

Speaker 1 (05:22):
Man. From a forensic standpoint, that structure is just devastating
to a suspect attempting to deny involvement.

Speaker 2 (05:29):
Oh, it completely ruins their day.

Speaker 1 (05:30):
I see the implications there. It completely neutralizes the whole
somebody else used my computer defense.

Speaker 2 (05:36):
Exactly if a forensic investigator isolates a malicious script, or
say an illicit document inside one of those directories, the
SID acts as a cryptographic fingerprint.

Speaker 1 (05:46):
Because it explicitly ties the deletion of that specific file
to the exact user session that performed the action.

Speaker 2 (05:53):
It leaves absolutely no ambiguity. You don't just know what
was deleted, you know exactly whose profile was logged in
and active when that delete command was executed.

Speaker 1 (06:01):
The digital trail is entirely compartmentalized by user identity.

Speaker 2 (06:05):
Yeah, very robust.

Speaker 1 (06:06):
Okay, so that covers the modern structure how it compartmentalizes
the files by user. But let's look backward for a
second at how the operating system actually indexed all these files.

Speaker 2 (06:15):
Okay, sure, because.

Speaker 1 (06:16):
If we go back to the Windows XP era, the
OS had to track the original paths of all these
deleted documents so it could offer the user that handy
little restore option. How did it manage that mapping?

Speaker 2 (06:29):
Well, Windows XP utilized a highly rigid, centralized index system.
When a file was moved to the recycler folder, the
operating system basically stripped away its original name entirely.

Speaker 1 (06:40):
Oh wow.

Speaker 2 (06:40):
Yeah, it applied a really strict formula to rename it instead.

Speaker 1 (06:43):
Okay, walk us through that formula. What did it look like?

Speaker 2 (06:46):
So every deleted file was assigned a new name starting
with the letter D, which presumably stands for deleted.

Speaker 1 (06:51):
Makes sense.

Speaker 2 (06:52):
Next, the OS appended the original drive letter where the
file resided. So if you deleted a file from the
C drive, the new name began with DC.

Speaker 1 (07:01):
Following that logic, if I deleted a file from a
secondary D drive, it would start with.

Speaker 2 (07:05):
DD correct, and then after the drive letter, the system
assigned an incrementing sequential number just one, two, three, and
so forth. Okay, finally it retained the file's original extension.

Speaker 1 (07:16):
Got it. So your very first deleted spreadsheet from the
C drive becomes DC one dot xlsx exactly, and a
subsequent image file deleted from that same drive becomes DC
two dot jpg.

Speaker 2 (07:29):
You're tracking perfectly. That's exactly how it worked.

Speaker 1 (07:31):
But that seems incredibly short sighted from a database perspective.
How so, Well, if I'm looking at a directory just
filled with files named DC one, DC two, and DC three,
all the contextual metadata is gone. It's like putting all
your trash into identical blank boxes labeled box one. Box two.
How does the computer know what's inside to restore it?

Speaker 2 (07:51):
Ah? And that is where the magic ledger comes in.
That translation was handled by a massive, monolithic database file
called IFO.

Speaker 1 (07:58):
Two info two.

Speaker 2 (07:59):
Yeah, hidden file set directly inside the recycler folder, and
it functioned as the master ledger for the entire deletion system.

Speaker 1 (08:06):
So while the physical file sat there with those generic
DC one names.

Speaker 2 (08:09):
The IFO two database kept a meticulous byte level record
of their true identities.

Speaker 1 (08:15):
Fascinating, So what did a single record inside that IFO
two database actually look like? Structurally?

Speaker 2 (08:21):
It was a static flat file database, So every single
file sent to the BIN generated a dedicated eight hundred
byte record inside the IFO two.

Speaker 1 (08:31):
Ledger, exactly eight hundred bytes.

Speaker 2 (08:32):
Exactly eight intabytes. Within that fixed space, the system recorded
the file's original size, the full original file path, and
the size of the file after deletion.

Speaker 1 (08:42):
I mean, the architecture makes sense for that era, but
relying on a single centralized flat file for system wide
indexing that introduces a massive vulnerability, doesn't it.

Speaker 2 (08:51):
It is a textbook single point of failure. If the
IFO two file becomes corrupted, or say a user with
elevated privileges manages to target and delete that speci.

Speaker 1 (09:00):
The entire recycle bin structure basically collapses into amnesia.

Speaker 2 (09:04):
Exactly. The OS completely loses its mind.

Speaker 1 (09:06):
Because the files themselves, the DC ones and DC two's,
they're still sitting right there in the physical sectors, totally
un alterate, but the OS has lost the map. It
can no longer associate DC one with you know, C finances,
Q four report dot xlsx yes.

Speaker 2 (09:21):
From the perspective of the operating system, those files just
become unallocated orphans. The standard Windows interface will actually show
an empty recycle bin even though all those files are
still there.

Speaker 1 (09:30):
That's wild. So how would you even get them back
at that point?

Speaker 2 (09:33):
To recover them, you'd have to bypass the OS entirely.
You'd need data recovery software to scrape the physical hard drive,
carve out those data blocks, and manually analyze the file
signatures to figure out what they are.

Speaker 1 (09:46):
That sounds like a nightmare, and having a single, highly
vulnerable database managing the state of all deleted files was
clearly a bottleneck. As storage drives grew larger.

Speaker 2 (09:56):
Oh absolutely, as file operations became more frequent, it just couldn't.

Speaker 1 (09:59):
Scale, which leads us to the complete architectural overhaul Microsoft
introduced with Windows Vista, Yes.

Speaker 2 (10:06):
The Vista Revolution, as we often call it in forensics.
They decentralize the metadata completely.

Speaker 1 (10:12):
So they completely abandon the IFO two.

Speaker 2 (10:14):
Ledger threw it right out. Instead of one master database
holding everything together, Microsoft shifted to a twin.

Speaker 1 (10:22):
File system a twin filesceah.

Speaker 2 (10:24):
Now, whenever a file is deleted, the OS generates two
distinct files that basically travel together.

Speaker 1 (10:30):
So the actual data payload and the metadata are permanently
paired up precisely.

Speaker 2 (10:35):
Let's look at the payload. First, the original file is
renamed starting with the character's dollar sign R. So this
prefix is followed by a randomly generated string of alphanumeric characters.
But the crucial thing is it retains its original file extension.

Speaker 1 (10:51):
Okay, So the actual data payload becomes something like dollar
followed by a randomhash dot Dutch pdf yes.

Speaker 2 (10:57):
And simultaneously the system generates the metadata file. This new
file begins with a dollar sign I, so one dollar okay,
one dollars right, And the really elegant mechanism here is
that the all A file is appended with the exact
same random string of characters and the exact same file
extension as it's strolled. Our counterpart, I love this.

Speaker 1 (11:15):
It's like, Okay, if we visualize this mechanism, it operates
exactly like a code check at a huge museum.

Speaker 2 (11:20):
Ooh, I like that analogy.

Speaker 1 (11:22):
Right, So, the dollar file is your heavy winter coat.
It contains the physical bulk, the actual data, the executable code,
or the image pixels, and it gets hung up on
a rack in the back room. Right, But the diar
file is the little paper ticket the attendant hands you.
The ticket has virtually no mass, but it contains all
the critical identifying information required to actually retrieve the coat that.

Speaker 2 (11:44):
Maps perfectly to the architecture the dollar file. The ticket
contains the original file name, the full original pass, the
original file size, and the exact timestamp recording when the
file was moved to the BID.

Speaker 1 (11:56):
So by decentralizing the ledger, they totally removed that sne
point of failure we saw on XP.

Speaker 2 (12:01):
Exactly if one eyevor gets corrupted, you only lose the
mapping for that specific file. The rest of the bin
remains entirely intact.

Speaker 1 (12:09):
Which vastly improves system stability.

Speaker 2 (12:12):
I'm sure it did. But this twin file architecture also
introduce some really fascinating behavioral quarks.

Speaker 1 (12:17):
Quirk like what.

Speaker 2 (12:18):
Particularly regarding how the OS handles directory deletions compared to
individual file deletions.

Speaker 1 (12:24):
Oh, let's explore that. Suppose an employee is trying to
cover up their tracks and decides to just delete an
entire project folder containing hundreds of documents rather than deleting
them one by one.

Speaker 2 (12:36):
Happens all the time, right.

Speaker 1 (12:38):
How does the dollar and dorallar system process a bulk
directory deletion.

Speaker 2 (12:43):
Well, when you send a directory to the recycle bin,
the directory itself receives the dollar dollar designation with the
random character strength. Okay, however, the files nested inside that
directory are practically untouched. They retain their original file names.

Speaker 1 (12:58):
Wait, so the files inside the don't get the dollary
naming convention at all.

Speaker 2 (13:03):
They do not ow And even more importantly, the operating
system only generates one single laun or file for the
entire directory.

Speaker 1 (13:10):
Ah, so it issues one single ticket for the entire
box of codes.

Speaker 2 (13:14):
Yes, that single AR metadata file contains the original name
of the parent directory, the total size, and the exact
time stamp of the deletion command.

Speaker 1 (13:22):
The forensic implications of that single ar file are massive
because in an investigation defense, attorneys often argue that a
deletion was accidental, right like, oh, it was a stray
click or an accidental dragon drop.

Speaker 2 (13:34):
We hear that defense constantly, But if.

Speaker 1 (13:36):
An investigator pulls the dollar file for a deleted directory,
they can basically prove intent.

Speaker 2 (13:42):
It establishes an undeniable timeline. Because all the files inside
that lawllary directory share the exact same all BI metadata ticket,
the investigator can definitively state that the entire batch of
files was dumped simultaneously.

Speaker 1 (13:56):
Boom now contrasts that if the user had gone into
the selectively deleted three specific spreadsheets on Tuesday and then
decided to delete the rest of the folder on Friday.

Speaker 2 (14:08):
Entirely different trail. Those three spreadsheets would have been processed
individually on Tuesday. Each would possess its own distinct dollar
and dial twins stamped with Tuesday's exact time.

Speaker 1 (14:18):
So they would not be grouped under Friday's batch deletion
ticket exactly.

Speaker 2 (14:22):
The operating system creates a precise, unavoidable paper trail of
the user's exact methodology.

Speaker 1 (14:28):
I mean, the architecture is elegant, It really is. But
let's talk about extraction for a minute. Because these IDI
files aren't plain text documents, right. A system administrator can't
just double click an EYE file, open it in notepad,
and read the original file path.

Speaker 2 (14:41):
Oh no, definitely not. The idea files are written in
raw binary data.

Speaker 1 (14:46):
So how do you actually read them?

Speaker 2 (14:47):
Well, mostly an investigator relies on automated forensic suites like
FTK or end case, which just parts the data automatically
for you.

Speaker 1 (14:55):
But if you really want to understand the underlying structure.

Speaker 2 (14:58):
Then you have to examine the file in an X editor,
analyzing the raw hexadecimal code manually.

Speaker 1 (15:03):
Okay, let's do that. Let's strip away the automated forensic
tools and look at the raw disk level.

Speaker 2 (15:07):
I love it. Let's get into the weeds.

Speaker 1 (15:09):
When we open a standard I file from say Windows
Vista seven or eight in a hex editor, what is
the exact layout of the data blocks? What are we
looking at?

Speaker 2 (15:18):
The structure from that era is incredibly rigid. Every single
EYE file generated by Vistas seven or eight is exactly
five hundred and felty four bytes long. Regardless of the
file it actually.

Speaker 1 (15:28):
Represents always five hundred and forty four bytes. So how
are those five hundred and forty four bytes partitioned?

Speaker 2 (15:34):
It starts with an eight byte fileheader, spanning from byte
zero to byte seven, and in these operating systems, the
header value is always set to the hex value zero one,
followed by a bunch of trailing zeros.

Speaker 1 (15:45):
Okay, so the one header establishes the file type what
occupies the next block.

Speaker 2 (15:50):
Bytes eight through fifteen store the original file size represented
in hexadesimal.

Speaker 1 (15:54):
Format, got it, and after the file size following.

Speaker 2 (15:57):
That, bytes sixteen through twenty three hold the critical deleted
date in timestamp, which.

Speaker 1 (16:02):
Brings up a really fascinating architectural quirk regarding how Windows
actually calculates time.

Speaker 2 (16:08):
Yes, because it.

Speaker 1 (16:09):
Doesn't use the Unix epook of nineteen seventy like almost
everything else does it.

Speaker 2 (16:12):
No, it doesn't.

Speaker 1 (16:13):
Yeah.

Speaker 2 (16:13):
The Windows NT architecture utilizes what's called the filetime structure
file time. Yeah. It calculates timestamps based on the number
of one hundred nanosecond intervals that have elapsed since midnight
January first, sixteen.

Speaker 1 (16:25):
Oh one, sixteen oh one. I mean, it is such
a wildly specific historical anchor point for a twenty first
century operating system.

Speaker 2 (16:31):
I know it sounds crazy, but it actually aligns with
the beginning of the Gregorian calendar cycle, which was used
in the initial Windows NT design. Of course, the forensic
software automatically translates that massive, unwieldy integer back into a
readable modern date and time for us.

Speaker 1 (16:47):
Good because I am not doing that math in my head.

Speaker 2 (16:50):
Nobody is okay.

Speaker 1 (16:51):
So we have the one header, the file size, and
the sixteen oh one based timestamp that takes us up
to bite twenty three. Right, what occupies the rest of
the five.

Speaker 2 (17:00):
And forty four bytes the largest block, so spanning from
byte twenty four all the way to bite five forty three,
That entire space is reserved strictly for the original filepath
and name encoded in Unicode.

Speaker 1 (17:11):
And that static five forty four byte structure just remained
the standard for years.

Speaker 2 (17:15):
It did until Microsoft finally optimized it in Windows ten.

Speaker 1 (17:18):
Right, So what changed in Windows ten?

Speaker 2 (17:20):
Well, they maintained the core one on dollars twin philosophy,
but they refined the internal structure of the barrel file
for efficiency. They implemented two really critical change right.

Speaker 1 (17:28):
It was the first one.

Speaker 2 (17:29):
First, it I'll set twenty four right where the filepath
used to start. They inserted a brand new field specifying
the file name length.

Speaker 1 (17:36):
Oh so, by defining the stringlined to natively within the
metadata itself, they eliminated the need for a fixed file
size entirely exactly.

Speaker 2 (17:44):
An I file in Windows ten is no longer statically
locked at five hundred and forty four bytes. It is
dynamically sized.

Speaker 1 (17:50):
That makes so much sense, right.

Speaker 2 (17:52):
If the original file pass was short, the RYE file
is small. It only consumes the exact number of bytes
actually required to hold the path there.

Speaker 1 (18:00):
That is a very logical optimization for modern storage. So
what was the second structural change?

Speaker 2 (18:05):
They updated the file header. Like we said, in Vista
seven and eight, the header always started with the hex
value zer one, but in Windows ten that header field
changed to a hex value of O two.

Speaker 1 (18:15):
Okay, wait, I'm looking at this from a high level
investigative perspective. Sure we are talking about a one byte
difference in a header file and a file size that varies.
If I already have the dive file, which tells me
the file name, the path, and the exact time stamp
it was deleted, why does an investigator actually care about
a single byte change from one to two.

Speaker 2 (18:35):
I get that question a lot. That single byte is
critical when the filesystem has been compromised or say, partially overwritten.
Imagine you were analyzing the unallocated space on a hard drive,
so the empty sectors where data isn't actively tracked by
the filesystem anymore.

Speaker 1 (18:51):
Right, the wild west of the drive.

Speaker 2 (18:53):
Exactly. You run a carving tool and you extract an
orphan dive file. It has no associated dollar file anymore.

Speaker 1 (19:00):
It's just a detached piece of metadata floating out there
in the void.

Speaker 2 (19:04):
Yes. Now, because hard drives are often repurposed or operating
systems are upgraded in place over the years, you might
actually have artifacts from three different eras of Windows residing
in the unallocated space of a single drive.

Speaker 1 (19:18):
Oh, I see where this is going.

Speaker 2 (19:19):
Right. If you find an OLL file and the header
reads o's one with that static five point forty four
byte footprint, you know definitively that the deletion event occurred
under a legacy operating system installation.

Speaker 1 (19:31):
But if the header reads H two and the file
size is dynamic.

Speaker 2 (19:35):
You can prove the artifact was generated by Windows ten man.

Speaker 1 (19:38):
That completely changes the context of the evidence. It allows
a forensic analyst to perform basically digital archaeology.

Speaker 2 (19:43):
That's exactly what it is.

Speaker 1 (19:45):
You're layering the artifacts chronologically based purely on the HECK structure,
even if all the primary file system pointers are completely obliterated.

Speaker 2 (19:52):
It allows us to rebuild the history of the machine
deletion by deletion using the very structures that were designed
to hide the data in the first place.

Speaker 1 (20:01):
The depth of engineering layered into a simple trash can
icon is honestly staggering when you lay it out like this,
it really is.

Speaker 2 (20:08):
It's hidden in plane sight.

Speaker 1 (20:10):
Well, before we wrap up this technical breakdown, let's run
a quick review exercise for you, the listener, just to
cement the timeline of these directory structures.

Speaker 2 (20:18):
We talked about a little pop quiz. Let's do it
all right.

Speaker 1 (20:21):
If you are examining a disk image and you need
to locate the deleted files in a Windows Vista environment,
which of the following route paths would.

Speaker 2 (20:29):
You navigate to pay attention to the OS here this exactly.

Speaker 1 (20:33):
Is it AC recycled info two, Is it BC recycler
Info two?

Speaker 2 (20:38):
Okay?

Speaker 1 (20:38):
Is it C crecycle dot bena or is it dcrecycler
dot benbandenna. Think about the architectural shifts we just covered.

Speaker 2 (20:45):
Right, you got your answer. The correct path is c
C recycle dot ben.

Speaker 1 (20:51):
Yes, let's quickly break down why the others are incorrect,
just to reinforce the whole timeline.

Speaker 2 (20:55):
Sure so, PATHA that recycled directory that is a legacy
structure utilized by Windows ninety five ninety eight, and right
the old days, Path B recycler maps to the Windows
NT two thousand and XP era, which remember, is also
where you would find that highly vulnerable INFO two ledger.

Speaker 1 (21:11):
We talked about a single point of failure exactly.

Speaker 2 (21:14):
And finally, pathdrecycler dot ben is just a totally fabricated
path that doesn't exist in any Windows architecture.

Speaker 1 (21:21):
Sure question, So we've unraveled the magic trick. Despite decades
of filesystem evolution from vulnerable single ledgers like IONFO two
all the way to decentralized dynamic one dollar twin architectures,
the fundamental behavior of the OS remains constant.

Speaker 2 (21:36):
It really does.

Speaker 1 (21:37):
It doesn't vaporize your data. It meticulously categorizes timestamps and archives.

Speaker 2 (21:42):
It it leaves an intricate, highly structured metadata trail for
anyone who understands how to read the underlying exodescimal code.

Speaker 1 (21:49):
The interface tells the user the file is gone, but
the filesystem ensures a permanent record of its existence is
left behind.

Speaker 2 (21:55):
The filesystem is always watching.

Speaker 1 (21:57):
Which leads us with a final, slightly provocative thought for
you to consider as we close out. Oh, if the
simple act of moving a file to a digital trash
can triggers such an exhaustive sequence of SID logging, twin
file generation and precise hex code updates, what other invisible,
highly detailed ledgers is your operating system quietly updating in

(22:21):
the background, right now, entirely without your knowledge.

Speaker 2 (22:23):
Like I said, it rarely forgets.

Speaker 1 (22:25):
Definitely something to consider the next time you try to
cover your tracks.

All Episodes

Course 36 - Windows Forensics and Tools | Episode 10: Decoding Metadata and File Internals

Episode Transcript

Popular Podcasts

Stuff You Should Know

Dateline NBC

iHeartRadio 24/7 News: The Latest

.css-15opob5{left:0;position:absolute;top:0.8rem;} All Episodes

.css-14f5ked{margin:0;word-break:break-word;display:-webkit-box;-webkit-box-orient:vertical;box-orient:vertical;-webkit-line-clamp:2;overflow:hidden;}Course 36 - Windows Forensics and Tools | Episode 10: Decoding Metadata and File Internals