±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 32893
New Yesterday: 9 Visitors: 198

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

RSS Feed Widget

±Latest Webinars

SyncToy v2.1

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
 
  

SyncToy v2.1

Post Posted: Wed Oct 15, 2014 6:51 pm

Hi all,

Does anyone have a solution to parse SyncToy (Microsofts free syncing tool) .DAT files? A sync process was carried out by the owner of a laptop and shortly afterwards some of the source data was wiped. The other medium in the sync is not available.

However, there are two 30MB DAT files present in the SyncToy folder that under a quick examination appear to contain lots of full path listings of files amongst other hex data. It would be good to parse these to adjudge what was potentially copied.

Many thanks

Shep  

shep47
Senior Member
 
 
  

Re: SyncToy v2.1

Post Posted: Sun Oct 19, 2014 3:07 pm

Since my posting I've had success parsing these files (albeit only manually) and each file synched comes with it's creation time (source disk), last modification (source disk), file size and filename (plus some other data that I've not worked out yet). I'm working on an EnScript to parse these but if any one wants more information whilst searching this thread in the future please PM me.

Rgds  

shep47
Senior Member
 
 
  

Re: SyncToy v2.1

Post Posted: Thu Aug 25, 2016 10:25 am

I am facing the same situation as you were, i have all the large .dat files that SyncToy stores and they are teasing me with the small amount of human readable content which clearly shows a listing of the directories and files that were transferred.

I've done some work using the Sysinternals "strings" tool and NotePad++ which has yielded some more human readable content but i'm still not able to retrieve the really useful information like creation time, file size, etc.

If you have any information regarding the success you had parsing the files which could help me i'd really appreciate it.

Thanks

Ben  

laserquestwascool
Newbie
 
 
  

Re: SyncToy v2.1

Post Posted: Fri Aug 26, 2016 9:44 am

A very interesting topic. Smile

Well above my head/out of my league, unfortunately. Sad

I had a look around and found this:
searchcode.com/codesea.../28100404/
crsyncfiles.codeplex.com/

It seems like all (or most) of the parsing functions for .bin and .dat files are there (to allow importing data from SyncToy or more generally Sync Framework).

The actual site is no more:
crsyncfiles.codeplex.c...umentation
connectionroad.com/sup...mentation/

and the tool is not cached in Wayback Machine:
web.archive.org/web/20...rsyncfiles


Maybe from the above source someone might create a parser.

Possibly there is something in the Sync Framework SDK 2.1, also, but cannot say:
www.microsoft.com/en-u...x?id=23217

It seems like the good MS guys provide the libarries/API's/whatever but do not actually document the file formats.
msdn.microsoft.com/en-....110).aspx
msdn.microsoft.com/en-....110).aspx

jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 

jaclaz
Senior Member
 
 

Page 1 of 1