Product Features

Digital Forensics: Artifact Profile – Recycle Bin

APPLICATION NAME: Recycle Bin
CATEGORY: Operating System
RELATED ARTIFACTS: None
OPERATING SYSTEMS: Windows
SOURCE LOCATION:
Windows XP – %ROOT%\Recycler\%SID%\
Windows Vista+ – %ROOT%\$Recycle.Bin\%SID%\

Importance to Investigators

The Windows Recycle Bin contains files that have been deleted by the user, but not yet purged from the system. While users can empty out the Recycle Bin quite easily, it is still a valuable source of evidence for an examiner.

Depending on the version of Windows, Recycle Bin evidence is stored in two different ways. For Windows XP, the files are stored in the “Recycler” folder under the user’s specific SID. There is also an INFO2 file which contains an index of all the files that have been deleted, along with some metadata about the recycled files. The INFO2 file will contain the original path, file size, and when the file was deleted.

For Windows Vista+, the data is still stored under the user’s SID, but the parent folder is now called “$Recycle.Bin”. Windows no longer uses the INFO2 file and when a file is deleted, two files are created in the Recycle Bin. The first file begins with the value “$R” followed by a random string – this file contains the actual contents of the recycled file. The second file begins with “$I” and ends in the same string as the “$R” file – this file contains the metadata for that specific file (unlike the INFO2 file which contained the metadata for every file in the Recycle Bin). The “$I” file contains the original filename, path, file size, and when the file was deleted.

Recycle Bin Recovery with Magnet Forensics

Magnet Forensics tools will recover artifacts from the Windows Recycle Bin for Windows XP, Vista, 7, and 8. They will list the filename, date the file was deleted (in UTC), user’s name and SID, original path, file size, current location, as well as indicate if it’s a file or directory. The current location value will help investigators know whether it was the actual file that was deleted or the parent directory.

Recycle Bin Artifact Module

Related Resources

Blog

Blog

Griffeye products now a part of the Magnet Forensics product suite

Following the announcement that Griffeye would become part of Magnet Forensics, we are thrilled to announce that Griffeye is now fully integrated into the Magnet Forensics family. 

April 12, 2024 • About a 2 minute view
Blog

Blog

Magnet Axiom Cyber 7.10: AWS Sign-in improvements & animated maps

The latest release of Magnet AXIOM Cyber is here, and we’re excited to share new features for analysis and cloud acquisitions.

February 29, 2024 • About a 2 minute view
Blog

Blog

Reviewing email evidence with Email Explorer in Magnet Axiom and Axiom Cyber

With the continued prominence of email in corporate settings, we’re thrilled to unveil a highly anticipated feature to AXIOM Cyber: Email Explorer.

February 29, 2024 • About a 4 minute view
Resource Center Home

Subscribe today to hear directly from Magnet Forensics on the latest product updates, industry trends, and company news.

Start modernizing your digital investigations today.

Top