Recycle Bin

The Recycle Bin on Windows systems is a special folder that temporarily stores deleted files and folders. It is a key artifact in forensic analysis, particularly for investigating deleted file artifacts. The Recycle Bin captures files that have been "soft deleted," meaning they are marked for deletion but not immediately removed from the file system. This allows for the potential recovery of deleted items, along with the associated metadata, which can provide valuable insights into user actions.

Key Insights:

  • Windows XP Path:

    • C:\Recycler

  • Windows 7 and Later Path:

    • C:\$Recycle.Bin

  • User-Specific SID Sub-Folders:

    • Each user's deleted items are stored in a sub-folder within the Recycle Bin, identified by the user's Security Identifier (SID). This SID can be mapped back to a specific user via the Registry, providing a clear link between deleted items and the account responsible for the deletion.

  • Metadata Storage:

    • Windows XP: The INFO2 file within the C:\Recycler directory contains metadata such as deletion times and original filenames.

    • Windows 7 and Later: Files starting with $I###### hold metadata like the original filename and deletion date/time, while files beginning with $R###### contain the contents of the deleted file.

Deeper Dive

Understanding Recycle Bin Artifacts

  • Metadata Files: The $I files are instrumental in determining when a file was deleted and what it was called prior to deletion. This information can be critical in timeline analysis and understanding user behavior.

  • Content Files: The $R files are essentially the deleted files themselves, preserved until the Recycle Bin is emptied. These files can be a goldmine for investigators, potentially containing evidence or important insights into the case at hand.

Analyzing The Artifact

  • Identifying User Actions: By examining the metadata associated with each deleted item, investigators can piece together a timeline of deletion events, correlating these with other user actions or system events.

  • Recovering Deleted Files: The ability to directly access and recover the contents of deleted files provides a direct path to evidence that may have been thought lost. This can include documents, images, or any other file type that was deleted by the user.

  • SID Mapping: Mapping the SID sub-folders to specific users allows for the attribution of deletion actions to individual accounts, adding a layer of accountability and specificity to the forensic analysis.

PreviousThumbcacheNextUser Typed Paths

Last updated

Was this helpful?