# Recycle Bin Artifacts ## **Introduction** The Windows Recycle Bin plays a vital role in forensic investigations, as it temporarily retains deleted items before they are permanently removed or restored. By analyzing Recycle Bin artifacts, investigators can uncover essential details such as the original location, deletion time, and file size, providing critical insights into user or attacker activities. *** ## **Key Artifacts in the Recycle Bin** ### **1. $I Files** These files store metadata about deleted items: * **Original File Path**: Location of the file before deletion. * **Size**: The size of the deleted item. * **Timestamp of Deletion**: Recorded in **UTC** format. ### **2. $R Files** These files contain the actual content of deleted items: * Present until the file is permanently deleted. * Allows recovery of the file's original data. *** ## **Location of Recycle Bin Artifacts** Recycle Bin artifacts are stored in user-specific **SID directories**: ``` C:\$Recycle.Bin\{SID}\ ``` * **{SID}**: Represents the Security Identifier associated with each user account. *** ## **Analysis Using RBCmd Tool** **RBCmd**, developed by **Eric Zimmerman**, is a powerful tool for extracting and analyzing Recycle Bin artifacts. **Steps to Analyze Recycle Bin Artifacts** 1. **Acquire Artifacts**: * Collect the **$Recycle.Bin** folder containing **$I** and **$R** files from the target system. 2. **Run RBCmd**: ```bash RBCmd.exe -d c:\path\to\RecycleBinArtifacts --csv c:\path\to\results ``` * **`-d`**: Specifies the directory containing Recycle Bin artifacts. * **`--csv`**: Outputs the results in **CSV** format for detailed analysis. 3. **Load Results in Timeline Explorer**: * Open the resulting **CSV** file in **Timeline Explorer** for advanced analysis. *** ## **Case Example** **Scenario:** Using **RBCmd**, we analyzed a single deletion event. **Parsed Data Highlights:** * **Deleted File**: `document.pdf.exe` * **Original Location**: `C:\Users\Public\Documents\` * **Deletion Time**: `2023-11-01 14:23:45 UTC` * **File Size**: `512 KB` **Insights:** * The file had a **double extension** (`.pdf.exe`), a common **malware obfuscation technique** to trick users. * The deletion suggests an attempt to cover tracks, likely following **remote access** or **malware execution**. *** ## **Forensic Value of Recycle Bin Artifacts** **1. Timeline Reconstruction** * Recycle Bin artifacts provide timestamps for when critical files were deleted, aiding in the creation of a detailed activity timeline. **2. Attack Behavior** * Analyzing deletion patterns can reveal malicious actions, such as: * **Dropping and deleting malware**. * Attempting to cover tracks post-attack. **3. Original File Context** * Artifacts reveal the original file paths, providing insight into the context and intent of user or attacker actions. *** Recycle Bin artifacts are an essential component of forensic investigations, offering valuable insights into deleted files and user behavior. By utilizing tools like **RBCmd**, analysts can efficiently extract and interpret this data to reconstruct events, uncover attack strategies, and build a comprehensive understanding of system activity during insider threats or external attacks.