Windows Forensics: analysis of Recycle bin artifacts
The Windows Recycle Bin contains files that have been deleted by the user, but not yet purged from the system: a valuable source of evidence for an examiner.
Depending on the version of Windows, Recycle Bin evidences are stored in two different ways.
On Windows XP, the files are stored in the “Recycler” folder under the user’s specific SID.
There is also an INFO2 file which contains an index of all the files that have been deleted, along with some metadata about the recycled files.
The INFO2 file will contain the original path, file size, and when the file was deleted.
Starting with Windows Vista, the data are still stored under the user’s SID, but the parent folder is now called “$Recycle.Bin”.
Windows no longer uses the INFO2 file and for every deleted file, two new files are created in the Recycle Bin.
The first file begins with the value “$R” followed by a random string, and contains the actual contents of the recycled file.
The second file begins with “$I”, ends in the same string as the “$R” file and contains the metadata for that specific file (unlike the INFO2 file which contained the metadata for every file in the Recycle Bin).
The “$I” file contains the original filename, path, file size, and when the file was deleted.
Recycle bin analysis using Rifiuti2
Rifiuti2 is a tool developed by Abel Cheung for forensic analysis of recycle bin files from Windows.
The tool can extract file deletion time, original path and size of deleted files.
It is a rewrite of
rifiuti
, which is originally written by FoundStone folks for identical purpose. Then it was extended to cover more functionalities, such as:
- Handles oldest (Win95) to newest (Win 10 and Server 2019) recycle bin format
- Windows 95 – 2003 uses a single index file namedINFO
orINFO2
- Vista or above uses one index file for each deleted item
- 64-bit file size support
- Supports all localized versions of Windows — both Unicode-based ones and legacy ones (using ANSI code page)
- Supports output in XML format as well as original tab-delimited text
- Obscure features such as recycle bin on network share (\\server\share_name
)
Rifiuti2 is designed to be portable, runs on command line environment and is available in two versions(rifiuti and rifiuti-vista), depending on Windows recycle bin format.
Usage examples
rifiuti-vista.exe -x -z -o result.xml \case\S-1-2-3\
Scan for index files under
\case\S-1-2-3\
, adjust all deletion time for local time zone, and write XML output toresult.xml
rifiuti -l CP932 -t "\n" INFO2
Assume INFO2 file is generated from Japanese Windows (codepage 932), and display each field line by line, instead of separated by tab