Recycle Bin Clearing

  • Description: This involves emptying the Recycle Bin, which permanently removes the files previously sent there via standard deletion methods.

  • Mechanism:

    • Right-clicking the Recycle Bin icon -> "Empty Recycle Bin".

    • Using disk cleanup utilities that include Recycle Bin cleaning.

  • Why Cheaters Use It: To permanently remove any potentially suspicious files they might have deleted normally just before the screenshare, ensuring they aren't easily recoverable from the bin.

  • Detection: While the deleted files themselves are gone (barring file recovery techniques), the act of emptying the bin leaves a trace:

    • $Recycle.bin Folder Timestamp: Check the Date Modified timestamp of the hidden system folder $Recycle.bin located at the root of the relevant drive (e.g., C:\$Recycle.bin). If this timestamp is very recent (e.g., minutes before the screenshare started), it indicates that the bin was interacted with recently, most likely by emptying it or potentially restoring a file from it. Remember to enable viewing of hidden and protected system files to see this folder.

PreviousEvent Log Clearing/ManipulationNextFile Replacement (Replace Method)

Last updated