Recycle Bin Information
Overview
Section titled “Overview”Evidence: Recycle Bin Information
Description: Collect information about items in recycle bin
Category: System
Platform: windows
Short Name: rbi
Is Parsed: Yes
Sent to Investigation Hub: Yes
Collect File(s): No
Background
Section titled “Background”When files are deleted through Windows Explorer, they are moved to the Recycle Bin. Windows creates two files for each deleted item:
- $I file: Contains metadata (original path, deletion time, file size)
- $R file: Contains the actual file content
The $I metadata files can reveal what files were deleted, when, by whom, and their original locations.
Data Collected
Section titled “Data Collected”This collector gathers structured data about recycle bin information.
Recycle Bin Information Data
Section titled “Recycle Bin Information Data”| Field | Description | Example |
|---|---|---|
FileName | Original file name | document.docx |
OriginalPath | Original file path before deletion | C:\Users\user\Documents\document.docx |
SID | User SID who deleted the file | S-1-5-21-… |
Username | Username who deleted the file | DOMAIN\user |
Type | Whether File or Folder | File |
Attributes | File attributes | 32 |
DeletionTime | When file was deleted | 2023-10-15T14:30:00 |
OriginalSize | Original file size before deletion | 1048576 |
Collection Method
Section titled “Collection Method”This collector:
- Searches for
$Recycle.Bin\*folders on all drives - Enumerates $I* files (metadata files)
- Parses $I file format (Version 1 or Version 2)
- Extracts deletion metadata
- References corresponding $R files (recovered content)
- Resolves user SIDs to usernames
Forensic Value
Section titled “Forensic Value”Recycle Bin analysis is fundamental for recovering deleted evidence and establishing deletion timelines. Investigators use this data to recover deleted files, establish file deletion timelines, identify who deleted files, prove file existence before deletion, track data destruction attempts, and correlate deletions with user activity.