Recycle Bin Information

Overview

Evidence: Recycle Bin Information Description: Collect information about items in recycle bin Category: System Platform: windows Short Name: rbi Is Parsed: Yes Sent to Investigation Hub: Yes Collect File(s): No

Background

When files are deleted through Windows Explorer, they are moved to the Recycle Bin. Windows creates two files for each deleted item:

$I file: Contains metadata (original path, deletion time, file size)
$R file: Contains the actual file content

The $I metadata files can reveal what files were deleted, when, by whom, and their original locations.

Data Collected

This collector gathers structured data about recycle bin information.

Recycle Bin Information Data

Field

Description

Example

FileName

Original file name

document.docx

OriginalPath

Original file path before deletion

C:\Users\user\Documents\document.docx

SID

User SID who deleted the file

S-1-5-21-...

Username

Username who deleted the file

DOMAIN\user

Type

Whether File or Folder

File

Attributes

File attributes

DeletionTime

When file was deleted

2023-10-15T14:30:00

OriginalSize

Original file size before deletion

1048576

Collection Method

This collector:

Searches for $Recycle.Bin\* folders on all drives
Enumerates $I* files (metadata files)
Parses $I file format (Version 1 or Version 2)
Extracts deletion metadata
References corresponding $R files (recovered content)
Resolves user SIDs to usernames

Forensic Value

Recycle Bin analysis is fundamental for recovering deleted evidence and establishing deletion timelines. Investigators use this data to recover deleted files, establish file deletion timelines, identify who deleted files, prove file existence before deletion, track data destruction attempts, and correlate deletions with user activity.

PreviousRecentFileCache.bcf NextRegistry Hives

Last updated 3 days ago

Was this helpful?