Recycle Bin Information

Overview

Evidence: Recycle Bin Information Description: Collect Information About Items in Recycle Bin Category: System Platform: Windows Short Name: rbi Is Parsed: Yes - $I metadata files are parsed Sent to Investigation Hub: Yes Collect File(s): No

Background

When files are deleted through Windows Explorer, they are moved to the Recycle Bin. Windows creates two files for each deleted item:

• $I file: Contains metadata (original path, deletion time, file size)

• $R file: Contains the actual file content

The $I metadata files can reveal what files were deleted, when, by whom, and their original locations.

Data Collected

Collection Method

This collector:

• Searches for $Recycle.Bin\* folders on all drives

• Enumerates $I* files (metadata files)

• Parses $I file format (Version 1 or Version 2)

• Extracts deletion metadata

• References corresponding $R files (recovered content)

• Resolves user SIDs to usernames

Usage

Recycle Bin analysis is fundamental for recovering deleted evidence and establishing deletion timelines. Investigators use this data to recover deleted files, establish file deletion timelines, identify who deleted files, prove file existence before deletion, track data destruction attempts, and correlate deletions with user activity.

Known Limitations

• Recycle Bin can be emptied by users

• Files deleted with Shift+Delete bypass Recycle Bin

• Files may be automatically removed based on size limits

• $I files persist after emptying but $R files are deleted

• Format differs between Windows Vista/7 (v1) and Windows 8+ (v2)

Notes

Even after "emptying" the Recycle Bin, $I metadata files often remain until overwritten. These can provide evidence of deleted files even when the actual file content ($R) is no longer recoverable.