Scribd
Upload
118 views16 pages

Lecture 13 - Recycle Bin Forensis

The document discusses how the Windows Recycle Bin stores deleted files. It explains that when a file is deleted, it is moved to the Recycle Bin where it still takes up disk space until being permanently removed. Investigators can check the Recycle Bin for deleted files and metadata to aid forensic analysis.

Uploaded by

htoothit781
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
118 views16 pages

Lecture 13 - Recycle Bin Forensis

The document discusses how the Windows Recycle Bin stores deleted files. It explains that when a file is deleted, it is moved to the Recycle Bin where it still takes up disk space until being permanently removed. Investigators can check the Recycle Bin for deleted files and metadata to aid forensic analysis.

Uploaded by

htoothit781
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 16

Recycle Bin Forensics

Cont’d
• In NTFS file system, when a user deletes a file, the OS just
marks the file entry as unallocated but does not delete the
actual file contents.
• The clusters allocated to the deleted file are marked as free
in the $BitMap ($BitMap file is a record of all used and
unused clusters).
• The computer now notices those empty clusters and avails
that space for storing a new file.
• The deleted file can be recovered if the space is not
allocated to any other file.
• On a Windows system, performing normal Delete operation
sends the files to the Recycle Bin.
• Whereas performing the Shift+Delete operation bypasses
the Recycle Bin
Recycle Bin in Windows
• Recycle Bin temporarily stores deleted files.
• When a user deletes an item, it is sent to Recycle Bin.
• However, it does not store items deleted from
removable media such as a USB drive or network drive
• The items present in Recycle Bin still consume hard disk
space and are easy to restore.
• Users can use the restore option in Recycle Bin to
retrieve deleted files and send them back to their
original location.
• Even if files are deleted from Recycle Bin, they continue
to consume hard disk space until the locations are
overwritten by the OS with new data.
Cont’d
• Then Recycle Bin becomes full, Windows
automatically deletes the older items.
• Windows OS assigns one specific space on each
hard disk partition for storing files in Recycle Bin.
• The system does not store larger items in Recycle
Bin; rather, it deletes them permanently.
Recycle Bin storage location on
NTFS file system:
• On Windows Vista and later versions, it is located in
Drive:\$Recycle.Bin\

• The $R and $I files are located at

C:\$Recycle.Bin\<user SID>\

• $I file contains following metadata:


• Original file name
• Original file size
• The date and time the file was delete
Find a User's Security Identifier (SID) in Windows

In Command Prompt, type


wmic useraccount get name,sid
and press Enter.
Recycle Bin Forensics
• The original files pertaining to the $I files are not
visible in the Recycle Bin folder when,
• $I file is corrupted or damaged
• The attacker/insider deletes $I files from the Recycle Bin
• During forensic investigation, the investigator
should check for the $R files in the Recycle Bin
directory to counter the anti-forensic technique
used by the attacker
• In command prompt
• C:\>cd $recycle.bin
• C:\$Recycle.Bin>cd <user SID>
• C:\$Recycle.Bin>cd S-1-5-21-3505585351-3972237474-
2963541811-500
• C:\$Recycle.Bin\S-1-5-21-3505585351-
3972237474-2963541811-500>dir /a
• C:\$Recycle.Bin\S-1-5-21-3505585351-
3972237474-2963541811-500 >copy $R*
D:\Recover
• C:\$Recycle.Bin\S-1-5-21-3505585351-
3972237474-2963541811-500>copy $I* D:\Recover
• the file is not in readable format
• use a tool called $I Parse
• Download link
• https://df-stream.com/recycle-bin-i-parser/

You might also like