Examining the Windows 10 Recycle Bin
This is the second post in our Windows Forensic Essentials Blog Series. Read our first post on Jump Lists.
One of the most overlooked artifacts on a Windows computer is the Recycle Bin. The Recycle Bin has been with the Windows operating system since Windows 95 (although a similar function was available in MS-DOS 6). Naturally over time it has
evolved to its current implementation.
Throughout its existence the role of the Recycle Bin is to track files that have been deleted by the user, whether through interaction in Explorer or another programme on the computer.
For forensic examiners the way in which the Recycle Bin works has changed over the years. Gone is the INFO2 file (that tracked the files contained in the Recycle Bin). Further changes have been made since the release of Windows 10.
In this blog we are going to look at how to examine the Recycle Bin in Windows 10, discussing what the various artifacts mean, and how to interpret this data.
A Look At The Data
Looking at what is in the Recycle Bin is part of almost every forensic examination. Examiners look at the data, note that it is in the Recycle Bin, and then report on it. But how can the data be interpreted?
$Recycle.Bin Or $RECYCLE.BIN?
Certainly most examiners have seen the Recycle Bin displayed as $Recycle.Bin and $RECYCLE.BIN, but why? We know that the ‘$’ means that the Recycle Bin belongs to the system, but from testing we can tell that $Recycle.Bin is on the Windows Drive (usually ‘C’) and $RECYCLE.BIN is normally written to a drive attached to a Windows system (such as a secondary drive on a computer, or an external drive attached to a computer).
Examine The Data
Inside the $Recycle.Bin in this case, experienced examiners will notice that the long alpha numeric folders are the SID (Security Identifier) that identifies each user on the computer. This is significant because it means that each user has their own Recycle Bin. Essentially the Recycle Bin is a special folder.
Figure 1: Windows 10 Recycle Bin viewed in BlackLight
We are going to focus on the SID ending in 1000.
Figure 2: Contents of Recycle Bin for the SID ending in 1000
Several files are seen inside the Recycle Bin. The files have unconventional names, and either start with $I or $R.
Files Starting with $I
Files starting with $I are essentially the metadata for the particular file that was deleted. Unlike previous versions of Windows the $I file is not a fixed size of 544 bytes and is only as big as it needs to be.
Here is what $1AEX914.jpg from Figure 2 shown above looks like in HEX.
Figure 3: $1AEX914.jpg viewed in HEX in BlackLight
To interpret this data we follow the following table:
Figure 4: Chart used to interpret the data found in $I files
Applying the principles in the chart shown above to the file $1AEX914.jpg (depicted in Figure 3 above) we find the following:
Figure 5: Chart describing HEX data found in $1AEX914.jpg
Testing has shown that for Windows 7 and 8.1 the value contained in the Header is 1, and for Windows 10 the value is 2.
Files Starting With $R
The files shown above in Figure 2 starting with $R are the content of the actual files. In other words the files deleted from this account.
Despite the changes under the hood, to most users the Recycle Bin soldiers on doing what it was originally designed to do; store files that have been deleted from each user account.
Make sure to subscribe to our blog to receive notification for the next post in our Windows Forensic Essentials blog series.