Sunday, 16 September 2018

An intro to the Windows Recycle Bin

The recycle bin is a very well known feature of the Windows operating system and has appeared in almost every version (It first appeared in Windows 95).

The recycle bin is where files and folders go once they have been deleted. However, there are 4 reasons why a deleted file may not get sent to the system Recycle Bin:

  •  If the Recycle Bin on the system is disabled
  •  If the deleted file is larger in size than the Recycle Bin itself
  •  f the command-prompt was used to delete the file
  •  If the SHIFT key was held when deleting the file/folder

As you can expect, the Recycle Bin is one of the places on a computer that is typically always checked during a forensic investigation. If someone has been doing something wrong, there's a good chance they'll attempt to delete the evidence and if it wasn't deleted in one of the ways detailed above, it'll end up in the Recycle Bin.

In this post I'll explain the Recycle Bin and the types of artefacts it gives us as forensic investigators.

Naming conventions

If you've ever looked at the Recycle Bin in a forensic image or on your own drive you might have noticed the being labelled as $Recycle.Bin or $RECYCLE.BIN

The '$' symbol indicates it's a system folder so that will always be there but is why the different cases?

The distinction is actually really simple. The CamelCase style will always be given to the Bin on the same drive as Windows and the other uppercase name is used for any Bins stored on secondary drives.

What's inside the bin?

Windows is a multi-user operating system and as such, each user on the computer will have their own Recycle Bin. But how does Windows know which deleted files belong to which user?

Inside the root Recycle Bin folder, additional folders can be found - one for each user on the operating system. If you had 5 users on your computer, you would find 5 folders here. On my analysis machine I only have one user and so there is only one folder.

Each folder here is named with the Security Identifier (SID) for the user that 'owns' it. Inside the SID folder are the actual files that were deleted. Here's a sample of the files found in my Analysis machine Recycle Bin:

Here, the file extensions are recognisable but the names of the files and folders are strange, some begin with $Iand others start with $R

In fact each file is there twice with an 'I' and an 'R' , but what does this mean?

$I Files

The files in the Recycle Bin that begin with $I are data files containing information about their 'R' partner.

The information found in these 'I' files is certainly valuable and definitely worth investigating, however, unlike the INFO2 file from Windows XP's Recycle Bin, the data is not human readable. Below is how the contents of the file $IOBDDUQ.doc looks when viewed with a Hex editor:

To understand what is being presented we need to understand how the file is constructed:

0x0 to 0x07 - Header

These first 8 bytes are the file header. On Windows 10 systems this will always be '2'. Now we can identify operating systems from recycling bin files!

0x08 to 0x15 - File Size

The next 8 bytes in the file contain the size (in bytes) of the original deleted file.

The original document that the $IOBDDUQ.doc file relates to was 41984 bytes in size.

0x16 to 0x23 - Deleted Date and Time

The next 8 bytes in the file contain the date and time that the original file was deleted - useful!

Using the image above you can see that the original file was deleted at 4:54PM on the 16th of February 2017.

0x24 to 0x27 - File Name Length

These 4 bytes in the file contain the length of the original file's name.

The original file name was 69 characters long.

0x28 onwards - File Path and Name

The rest of the data in the $I file is the file path and full name of the original file. This value will obviously be of variable length, depending on how long the path and file name was.

You can see that the original path and name of the file was:
D:\Dan\Downloads\Cyber Crime Investigator Placement Role Profile.doc

The $R Files

Simply, the $R file is the complete original file!

In this case, it's the full 'Cyber Crime Investigator Placement Role Profile.doc'. Using a hex editor it is possible to view the text contents of the file and a tool like Strings or the 'Find' feature in your analysis tool can be used to find specific information in the document such as the word 'Salary'.

Thanks for reading this quick overview of the Windows 10 Recycle Bin and what sort of files you can expect to find in it.



  1. Hi Dan,
    Great first post, I heard about your blog from Phil Moore's blog. I'm a DFIR student at UCF, just starting my first semester, so just getting into the field. What tool were you using to view the hex information? WinHex?


    1. Hi Chris!

      Thanks for reading! It's crazy Phil included me in the round-up, heart almost stopped when I saw :)

      In this post I was using FTK Imager v3.4.3.3, you might need to enable the Hex Value Interpreter pane from the menus.

      Good luck on your course, Digital Forensics is so fun!