Recycling Bin - Foren-Ken/tech-journal GitHub Wiki

Recycle Bin Locations:

Win98 > DRIVE:\RECYCLED Win 2k, xp, NT > DRIVE:\RECYCLE.BIN Windows 2k and Onwards > DRIVE:\RECYCLER\SID FOR USER\ (This allows for files to be related to who deleted them)

Metadata Analysis:

On modern systems, the file is divided into two file when deleted. This will be the R and I file (this is determined by the letter after the initial $). These files will have identical names besides the I or R. With this, the raw content of the file can be found in the "R" file while the "I" data contains the metadata tied to the file.

Rifiuti2 Tool

(Windows Recycle Bin Analysis Tool)

This tool works simply with the following syntax: `rifiuti-vista.exe C:$Recycling.Bin\USER SID. This will then display the metadata stored within the $I files located within the SID's path in the recycling bin. This also provides valuable forensics artifacts due to the metadata. The

RBCmd

(The Recycling Bin Artifact Parser)
Guides to Other Eric Zimmerman Tools

This command analyzes the "I" files in the recycling bin. These are the ones which contain the metadata of the file which it was separated from when the file was deleted (except by using the command del or pressing shift-delete). The way this command is used is by typing: RBCmd -f C:\$Recycling.Bin\SID OF USER\$I... where "..." is the "I" file being analyzed. This is used for singular analysis. This is due to the -f option. RBCmd -d C:\$Recycling.Bin\SID OF USER\ This command allows the user to analyze all I files within. This is due to the -d option.