In this post in one of our DFIR shorts series. we will address how to recover deleted files from the Windows Recycle Bin.
The content is for information security practitioners who want to expand their knowledge in the DFIR field. Being able to recover deleted files can sometimes blast your investigation process when in lack of evidence. There are
$Recycle.bin forensics is another method for recovering or getting information about files that were manually deleted by a user. Depending on the Windows version, Evidence is stored in the Recycle Bin in two different ways.
On Windows XP, the files are stored in the “Recycler” folder under the user’s specific SID. There is also an INFO2 file which contains an index of all the files that have been deleted, along with some metadata about the recycled files. The INFO2 file will contain the original path, file size, and when the file was deleted. Starting with Windows Vista, the data are still stored under the user’s SID, where the parent directory is named “$Recycle.Bin”. On Windows Vista and later, INFO2 files are no longer used and for every deleted file, two new files are created in the Recycle Bin.
The first file begins with the value “$R” followed by a random string and contains the actual contents of the recycled file.
The second file begins with “$I”, ends in the same string as the “$R” file and contains the metadata for that specific file (unlike the INFO2 file which contained the metadata for every file in the Recycle Bin). The “$I” file contains the original filename, path, file size, and when the file was deleted.
Viewing Deleted Files in the Recycle Bin (Win10)
First, browse tp the $Recycle.bin directory (C:\$Recycle.bin):
Run the command “dir /a” in order to view its content (as the files are hidden by default):
As we can understand from the above output is that each child directory under the $Recycle.Bin is named after an existing user SID. Therefore, the next step would be to verify which SID belongs to which user on the machine.
It can be done via a WMI command (WMIC.exe):
wmic useraccount get name,SID
In some organizations, "wmic" will be disallowed by policy, so another way of fining out the currently logged in user SID is via the well known "whoami" command:
whoami /userThe next step is to browse the desired user’s folder, and pay attention to the files located there:
As it was mentioned in the explanation about the $Recycle.bin structure, you will see here files starting with $I which will contain the deleted file metadata and $R which will contain the actual contents of the recycled file.
For example, lets look on the $I7ZK3OL.zip” file.
There is a nice GUI tool named "$I parser" developed by Eric Zimmerman. It can be downloaded from here:
"$I Parse" is a tool for parsing $I (index) files from the Recycle Bin of Windows Vista and later. There are two modes of operation:
Directory mode - allows you to point "$I Parse" to a directory of $I files and parse them all in one go. It will output the parsed data to a tab-delimited file.
File mode - parses an individual $I file. The output will be printed to the command prompt.
Another great tool (CLI) is “RBCmd” (also developed by Eric Zimmerman). It can be downloaded from here. Do note: both tools can only parse $I files.
Parsing a $I file
For this example, we will use the command line tool “RBCmd”:
The command line is easy and straight forward:
<path to the tool exe>\RBCmd.exe -f <$I file>
The output shows:
Original file name
Original file size
The date it was deleted on.
We hope you enjoyed reading this content.
See you in the next blog post with new DFIR content :)