Recycle Bin ( C:$Recycle.bin )

• • Purpose: The Recycle Bin acts as a temporary holding area for files and folders deleted by the user through standard methods (e.g., pressing the Delete key, right-clicking and selecting Delete). It allows users to potentially recover accidentally deleted items. Items deleted using Shift+Delete bypass the Recycle Bin entirely.

  • Location: Each NTFS volume typically has its own hidden, protected system folder named $Recycle.bin located at the root of the drive (e.g., C:\$Recycle.bin, D:\$Recycle.bin).

  • Accessing: To view the contents, you must first configure File Explorer options to:

    1. "Show hidden files, folders, and drives."

    2. Uncheck "Hide protected operating system files (Recommended)."

  • Forensic Analysis: The key to analyzing the Recycle Bin lies in its internal structure and the metadata associated with deleted items. Within the $Recycle.bin folder, there are subfolders named according to the Security Identifiers (SIDs) of the users who deleted files. Inside a user's SID folder, each deleted item is represented by two hidden files:

    • $I{unique_ID}.{original_extension}: This is the metadata file. It contains crucial information such as the original full path of the deleted item and, most importantly, the timestamp indicating exactly when the item was deleted. The Date Modified/Created timestamp of this $I... file itself reflects the deletion time.

    • $R{unique_ID}.{original_extension}: This file contains the actual data content of the deleted item.

    • Analyzing the deletion timestamps of $I... files is critical. Finding cheat-related files deleted shortly before or during a screenshare is a significant red flag.

    • Additionally, checking the Date Modified timestamp of the $Recycle.bin folder itself (or the specific user SID subfolder) can indicate the last time any interaction occurred with the bin on that volume – such as deleting an item, restoring an item, or emptying the bin. A very recent modification time warrants investigation.

  • Bypasses and Limitations:

    • Shift+Delete: As mentioned, this permanently deletes the file, bypassing the Recycle Bin structure. However, the deletion event itself is often still logged in other artifacts like the USN Journal ($UsnJrnl).

    • FAT32/exFAT: Drives formatted with these file systems typically do not have the standard $Recycle.bin structure. Deletion behavior is different, and standard Recycle Bin analysis methods do not apply. File recovery tools (like Recuva) become more relevant on these systems.