Recycle Bin

Description: The recycle bin is a very important location on a Windows file system to understand. It can help you when accomplishing a forensic investigation, as every file that is deleted from a Windows application is generally first put in the recycle bin.

Location:

  • C:\$Recycle.bin (Hidden System Folder)

Notes: SID can be mapped to user via Registry Analysis.

Files Preceded by $I###### Contain:

  • Original Path and Name
  • Deletion Date/Time

Files Preceded by $R###### Contain:

  • Recovery Data

Analysis: Files within the Recycle Bin are not actually deleted as they're technically still considered allocated by the file system. Almost every file deleted within Windows will pass through the Recycle Bin, unless the user uses Shift + Delete to permanately delete the file.

Using FTK Imager, we can navigate to the Recycle Bin and extract an $I###### file for offline analysis.



We can use Recbin, a command-line utility created by Harlan Carvey, to parse files located within the Recycle Bin. As a prerequisite to running recbin.exe, you will also need to grab p2x5124.dll from his github reposititory and store in in the same folder that you place recbin. Review the command-line switches with recbin.exe /? and use recbin.exe -f to parse a specified Recycle Bin file. $I###### files of are forensics intrest because they not only provide us with the full path of the deleted file, but also give us a timestamp for file deletion.