Recycle Bin ($Recycle.bin)

Purpose and Function

The Windows Recycle Bin is a special system folder that functions as a staging area for files and folders deleted by a user through standard methods (e.g., pressing the Delete key or using the right-click context menu). Its primary purpose is to act as a safety net, holding deleted items indefinitely until the user chooses to either permanently remove them by emptying the bin or restore them to their original location.

It is critical to understand that files sent to the Recycle Bin are not in a temporary state with an expiration date. They remain there until an explicit action is taken. Files deleted using Shift + Delete or removed programmatically by certain applications bypass the Recycle Bin entirely.

From a DFIR perspective, the Recycle Bin is a crucial artifact. It meticulously records metadata about every item sent to it, providing definitive evidence of what was deleted and exactly when.

Location and Structure

Each NTFS volume on a Windows system has its own hidden, protected system folder named $Recycle.bin located at the root of the drive (e.g., C:\$Recycle.bin). To view this folder, an analyst must enable the viewing of both "hidden files" and "protected operating system files" in File Explorer options.

Inside the $Recycle.bin folder, subfolders are created that are named after the Security Identifier (SID) of each user who has deleted files on that volume. This structure ensures that deleted items are directly attributable to a specific user account.

Within a user's SID subfolder, each deleted item is represented by two distinct files:

  1. $I{unique_ID}.{original_extension}: This is the metadata file. It is a small but forensically rich file containing:

    • The original full path of the deleted item.

    • The size of the original file in bytes.

    • A high-precision FILETIME timestamp indicating exactly when the item was sent to the Recycle Bin.

  2. $R{unique_ID}.{original_extension}: This is the content file. It contains the actual data of the deleted item, preserving its original file extension but renamed with a $R prefix.

When a user empties the Recycle Bin, both the $I and $R files associated with the items are permanently removed from the file system.

Stored Metadata

The primary forensic value is concentrated in the $I metadata file. A forensic parser will extract:

  • Original Filename and Path: Confirms what the file was named and where it was located before deletion.

  • Deletion Timestamp: This is the most critical piece of evidence. The "Date Created" timestamp of the $I... file itself directly corresponds to the moment the original file was moved to the Recycle Bin.

  • File Size: The size of the original file.

  • User Attribution: The SID-based folder structure provides a direct, undeniable link between the deletion and a specific user account.

Forensic Value

The Recycle Bin is an invaluable source for recovering discarded evidence and understanding a user's attempts to hide their actions.

  • Recovering Discarded Evidence: Analysts can often recover the full content of deleted files by accessing the $R... files, providing direct access to evidence a user believed was gone.

  • Establishing a Deletion Timeline: The deletion timestamps within the $I... files are essential for building a precise timeline. Finding suspicious files that were deleted moments before an investigation is a significant red flag.

  • Proving Prior Existence and Location: The original path proves that a file existed in a specific location, corroborating findings from execution artifacts that might point to a now-missing file.

  • Detecting Clearing Activity: The "Date Modified" timestamp of the parent $Recycle.bin folder (or the user's specific SID subfolder) is updated upon any interaction, including emptying the bin. A very recent modification time is a strong indicator of recent clearing activity.

It is important to remember that drives formatted with FAT32 or exFAT (common for USB drives) do not have this standard $Recycle.bin structure.

Reflection points (SS Contest)

For a ScreenSharer, the Recycle Bin is a primary location to check for evidence that a player has attempted to discard just before the check.

  • Finding the Pre-SS Cleanup: A player under suspicion will often delete their cheats via the standard method just before being "frozen". The Recycle Bin is the first place this evidence lands. Finding a cheat with a deletion timestamp just moments before the SS began is conclusive proof of an attempt to hide it.

  • Recovering the Smoking Gun: An SSer can frequently recover the full cheat executable from the $R... file. This allows for immediate analysis (checking its hash, strings, or uploading to VirusTotal), turning a deleted file into concrete evidence.

  • Confirming Evidence Clearing: Even if the player has emptied the Recycle Bin, an SSer can check the "Date Modified" timestamp of the C:\$Recycle.bin folder. A timestamp that is extremely recent strongly indicates the player just wiped the bin to destroy evidence—a highly suspicious act in itself.

  • Direct User Attribution: The SID folder structure makes it simple to attribute the deletion to the active user, preventing them from plausibly denying the action or blaming another user or a system process.

Previous$LogFileNextVolume Shadow Copies (VSS)

Last updated