Digital forensics

Recycle bin forensics

February 12, 2014 by Warlock

An icon on the Windows desktop represents a directory in which deleted files are temporarily stored. This enables you to retrieve files that you may have accidentally deleted. From time to time, you’ll want to purge the recycle bin to free up space on your hard disk. You can also configure Windows so that it doesn’t use the recycle bin at all, but then you won’t be able to retrieve accidentally deleted files.

When a file is deleted in the Microsoft Windows operating system, it doesn’t delete it permanently; it is stored in the recycle bin. If a user wants to restore the deleted file from the recycle bin, it can be done. If the user holds the shift key at the time of deleting a file, then the file will be deleted permanently without being stored in the recycle bin. In this case, the file is moved to a hidden, system folder where it is renamed and stored until further instructions are given as to what is to happen to the file.

From the forensic point of view, the recycle bin is a gold mine for gathering evidence, clues, etc. By analyzing the recycle bin, we can recover useful data.

To understand how the information files are structured and how the naming convention works, there must first be an understanding of how the recycle bin works. When a user “deletes” a file in Windows, the file itself is not actually deleted. The file at this point is copied into the recycle bin’s system folder, where it is held until the user gives further instructions on what to do with the file. This location varies, depending on the version of Windows the user is running. The table below shows locations from both past versions of Windows as well as Windows Vista.

Here we will see how to analyze the INFO2 file for the Windows XP operating system. First check out the Recycler folder on C drive. The Recycler folder is a hidden directory, so we have to make some changes in the folder options to view that directory.

Open “Folder Options,” then select “Show hidden files and folders” under the “Hidden files and folders” section. Uncheck “Hide protected operating system files” and you are done.

Once the changes have been made, browse the C drive and you can see the Recycler folder clearly.

Inside the Recycler folder, there’ll be a another folder with a name like “S-1-5-21-1078081533-1957994488-1343024091-1003″ or similar. This will be generated for every separate user. In our case, we have only one user in this system; that’s why we have only one.

Now navigate to this directory via the command prompt and type dir /a to view all files and folders. In the below figure we can see there is an INFO2 file.

Just extract that file to the different location. We can’t normally open that file, so we will use a tool called Rifiuti.

Rifiuti is a recycle bin forensic analysis tool. Rifiuti, the Italian word meaning “trash,” was developed to examine the contents of the INFO2 file in the recycle bin.

Next put the INFO2 file inside the Rifiuti folder and run rifiuti.exe via the command prompt.

We can see the Rifiuti usage command after running the rifiuti.exe. Now type in rifiuti.exe INFO2 >result.txt

After running the command, the program will create a result.txt file in the rifuiti folder.

Open the result.txt file.

Now we can clearly see the details of every files. The deleted time of the file, from which drive it was deleted, the drive number and the file size.


Posted: February 12, 2014
View Profile

Warlock works as a Information Security Professional. He has quite a few global certifications to his name such as CEH, CHFI, OSCP and ISO 27001 Lead Implementer. He has experience in penetration testing, social engineering, password cracking and malware obfuscation. He is also involved with various organizations to help them in strengthening the security of their applications and infrastructure.