recycle bin - Paiet/FOR---Operating-System-Forensics GitHub Wiki
recycle bin used to delete files temporarily
- right-click and select delete moves files to the recycle bin
- delete + shift deletes the file permitaly
- check box in recycle bin to don't move files to recycle bin (if 1 deletes file if 0 goes to recycle bin
- changes the maximum size of file deletes file pematly if it size is more than the amount specified
- recycle bin sid
- inside the recycle bin folder will have subfolder based on SIDs
- FTK Imager can be used to find files in recycling bin
- all metadata will be stored in xp in a file based on sid
- r/srv file is the same as the original file (unless written over it)
- same hash and same file size
- i/siv will only be the same as the time it was deleted
- structor for I file
- first 8 bites always 1/reserved second 8 biytes file size 8 bites deleted time and 520 bytes file full path in unicode
- windows combine the (due to it being listed as a system protected file)
- structor for I file