Blog >> Windows Recycle Bin

Investigating Windows Recycle Bin

13/07/2021 Tuesday

Windows Recycle Bin was first introduced with Windows 95 and continued until Windows 10. Recycle bin is a temporary storage for the items that have been deleted by the user. The user then has the option to remove the items permanently or recover them in case they were deleted by mistake.


Digital Forensics Value of Recycle Bin Artifacts


Windows recycle bin is considered an essential source of evidence when conducting a forensic investigation, as any item that is deleted via File Explorer and from any recycle bin aware program will be initially placed into the recycle bin. Recycle bin artifacts retain valuable information related to the deleted item such as the name of the deleted item, the original location of the item before deletion, the size of the deleted item and the date and time when the item was deleted.


Location of Recycle Bin Artifacts


Windows recycle bin artifacts are maintained within a hidden system folder. For Windows 2000, NT, XP and 2003, recycle bin artifacts are stored in "INFO2" file which is located within the user's SID sub-folder at C:\RECYCLER\{SID}\INFO2

For Windows Vista, 7, 8 and 10, recycle bin artifacts are stored in "$I" file which is also located within the user's SID sub-folder; however, the folder name has been changed to "$Recycle.bin". C:\$Recycle.Bin\{SID}\$I######


Structure of Recycle Bin Artifacts


Windows recycle bin structure differs slightly between Windows operating systems. on Windows 2000, NT, XP and 2003, the deleted items are renamed using a specific scheme and stored within the SID sub-folder which corresponds to the user who deleted the item. The file INFO2 contains the metadata (file deletion date, original file path and file size) for the deleted items.

On the other hand, for each deleted file on Windows Vista, 7, 8 and 10, two new files are created "$R" and "$I" (each letter is followed by a random six-character string). The deleted item content will be stored within $R###### file while the metadata (file deletion date, original file path and file size) for that item will be stored within $I###### file.


Analyzing Recycle Bin Artifacts with ArtiFast Windows


This section will discuss how to use ArtiFast Windows to analyze Windows recycle bin on Windows machines and what kind of digital forensic insights we can gain from the artifacts.

After you have created your case and added evidence for the investigation, at the Artifacts Parser Selection Phase, you can select Windows Recycler (for Windows 2000, NT, XP and 2003) or Windows Recycle Bin (For Windows Vista, 7, 8 and 10):






Once ArtiFast parser plugins complete processing artifacts for analysis, it can be reviewed via "Artifact View" or "Timeline View," with indexing, filtering and searching capabilities. Below is a detailed description of the Windows Recycler and Recycle Bin Artifacts in ArtiFast software


Windows Recycler/ Windows Recycle Bin Artifact

Both artifacts contain information related to the items that have been deleted by the user but for different Windows versions. The details you can view include: