# Recycle Bin Information ## Overview **Evidence:** Recycle Bin Information\ **Description:** Collect information about items in recycle bin\ **Category:** System\ **Platform:** windows\ **Short Name:** rbi\ **Is Parsed:** Yes\ **Sent to Investigation Hub:** Yes\ **Collect File(s):** No ## Background When files are deleted through Windows Explorer, they are moved to the Recycle Bin. Windows creates two files for each deleted item: * $I file: Contains metadata (original path, deletion time, file size) * $R file: Contains the actual file content The $I metadata files can reveal what files were deleted, when, by whom, and their original locations. ## Data Collected This collector gathers structured data about recycle bin information. ### Recycle Bin Information Data | Field | Description | Example | | -------------- | ---------------------------------- | ------------------------------------- | | `FileName` | Original file name | document.docx | | `OriginalPath` | Original file path before deletion | C:\Users\user\Documents\document.docx | | `SID` | User SID who deleted the file | S-1-5-21-... | | `Username` | Username who deleted the file | DOMAIN\user | | `Type` | Whether File or Folder | File | | `Attributes` | File attributes | 32 | | `DeletionTime` | When file was deleted | 2023-10-15T14:30:00 | | `OriginalSize` | Original file size before deletion | 1048576 | ## Collection Method This collector: * Searches for `$Recycle.Bin\*` folders on all drives * Enumerates $I\* files (metadata files) * Parses $I file format (Version 1 or Version 2) * Extracts deletion metadata * References corresponding $R files (recovered content) * Resolves user SIDs to usernames ## Forensic Value Recycle Bin analysis is fundamental for recovering deleted evidence and establishing deletion timelines. Investigators use this data to recover deleted files, establish file deletion timelines, identify who deleted files, prove file existence before deletion, track data destruction attempts, and correlate deletions with user activity.