Investigating Windows Recycle Bin
25/02/2022 Friday
Windows Recycle Bin was first introduced with Windows 95 and continued until Windows 11. Recycle bin is a temporary storage for the items that have been deleted by the user. The user then has the option to remove the items permanently or recover them in case they were deleted by mistake.
Digital Forensics Value of Recycle Bin Artifacts
Windows recycle bin is considered an essential source of evidence when conducting a forensic investigation, as any item that is deleted via File Explorer and from any recycle bin aware program will be initially placed into the recycle bin. Recycle bin artifacts retain valuable information related to the deleted item such as the name of the deleted item, the original location of the item before deletion, the size of the deleted item and the date and time when the item was deleted.
Location of Recycle Bin Artifacts
Windows recycle bin artifacts are maintained within a hidden system folder. For Windows 2000, NT, XP and
2003, recycle bin artifacts are stored in "INFO2" file which is located within the user's SID sub-folder at
C:\RECYCLER\{SID}\INFO2
For Windows Vista, 7, 8, 10 and 11, recycle bin artifacts are stored in "$I" file which is also located
within
the user's SID sub-folder; however, the folder name has been changed to "$Recycle.bin".
C:\$Recycle.Bin\{SID}\$I######
Structure of Recycle Bin Artifacts
The structure of recycle bin artifacts differs slightly between Windows operating systems. on Windows 2000,
NT, XP
and 2003, the deleted items are renamed using a specific scheme and stored within the SID sub-folder which
corresponds to the user who deleted the item. The file INFO2 contains the metadata (file deletion date,
original file path and file size) for the deleted items.
On the other hand, for each deleted file on Windows Vista, 7, 8, 10 and 11, two new files are created "$R"
and
"$I" (each letter is followed by a random six-character string). The deleted item content will be stored
within $R###### file while the metadata (file deletion date, original file path and file size) for that item
will be stored within $I###### file.
Analyzing Recycle Bin Artifacts with ArtiFast Windows
This section will discuss how to use ArtiFast Windows to analyze Windows recycle bin on Windows machines and
what kind of digital forensic insights we can gain from the artifacts.
After you have created your case and added evidence for the investigation, at the Artifact Selection phase,
you can select Windows Recycler (for Windows 2000, NT, XP and 2003) or Windows Recycle Bin (For
Windows Vista, 7, 8, 10 and 11):
Once ArtiFast parser plugins complete processing artifacts for analysis, it can be reviewed via "Artifact View" or "Timeline View," with indexing, filtering and searching capabilities. Below is a detailed description of the Windows Recycler and Recycle Bin Artifacts in ArtiFast software
Windows Recycler/ Windows Recycle Bin Artifact
Both artifacts contain information related to
the items that have been deleted by the user but for different Windows versions. The details you can view
include:
- File Deletion Date - The date and time when the item was deleted.
- File Size - The size of the deleted item.
- File Path - File Path.
For more information or suggestions please contact: [email protected]
