Recycle Bin | artifacts.help

$I, $R files under <SYSTEMDRIVE>:\$Recycle.Bin\<USER_SID>\

Overview

Deleted files and folders (if deleted through a recycle bin aware application).

The deleted files are placed in a subfolder (under %SystemDrive%:\$Recycle.Bin) named after the SID of the user that performed the deletion. Deleted files can thus be associated with a given user.

Information of interest

Two kind of files are present in the Recycle Bin:

$I (for “Information”) files, which contain the path and timestamp of deletion of the original file.
$R (for “Resource”) files, which contain the original file content.

Tool(s)

RBCmd

References

AT&T Cybersecurity - Kushalveer Singh Bachchas - Digital dumpster diving: Exploring the intricacies of recycle bin forensics
13Cubed - Recycle Bin Forensics

Tags:

View on GitHub