## Introduction One of main tasks in digital forensic is to recover deleted file. It will help if you precisely know how the filesystem works. Without these complicated methods there is a easy way called Recycle Bin (Many other OS also has this feature, but we will focus on Windows in this article) Recycle Bin is where deleted files are keeped before it is permanently deleted. For those who mistakenly deleted a wrong file or who regrets deleting such file. It is a temporary space where file exists for a short period of time so the point is that file is not actually deleted even though the user deleted a file. In this article, the main focus is on analyzing Recycle Bin artifact to find out where and how is the deleted, how files are managed in Recycle Bin and when it is permanently deleted. Finally our goal is to successfully find useful data in a certain digital forensic case. ## Path Most people drag and drops their files straight into their recycle bin in the desktop menu thinking that recycle bin is actually in the desktop directory. The truth is, the icon on the desktop folder is a LNK file (shortcut). Recycle Bin is a feature provided by the filesystem not the operating system. So the recycle bin we find are not the only recycle bin on your computer. Every partition has Recycle Bin on their root directory. ``` [Drive Letter]:\$Recycle.Bin ``` > [!Question] It’s not in the root directory! > > Yeah. You may not see it with your file explorer. $Recycle.Bin is a system directory which is usually hidden by its default setting. By unchecking options in “Folder Options >> Hide Protected Operating system files(recommended)” you will find Recycle bin folder. ![[Untitled 20.png]] ## Data In this chapter we will find out the structure of Recycle bin folder. By using `tree` command, you can find the tree structure of a certain folder. (There are some folders that require high authorities. Just to let you know..) ``` vared@DESKTOP-DOGN0M5:/mnt/c/$Recycle.Bin$ sudo tree . . ├── S-1-5-18 [error opening dir] ├── S-1-5-21-1906683221-3410317796-3976351031-1000 [error opening dir] └── S-1-5-21-1906683221-3410317796-3976351031-1001 ├── $I2I92ZR.lnk ├── $IC23MFN.lnk ├── $IH3LLYF.lnk ├── $II1S3KK ├── $IIAA5KA.lnk ├── $IL8JA5P.t ├── $R2I92ZR.lnk ├── $RC23MFN.lnk ├── $RH3LLYF.lnk ├── $RI1S3KK ├── $RIAA5KA.lnk ├── $RL8JA5P.t └── desktop.ini 3 directories, 13 files ``` ### Name of Sub Folders The sub folders in Recycle bin is consisted of some kind of special IDs. For some of you who knows, they are UID/SID formats. Recycle Bin artifacts categorize files by user deleting a file, and places deleted files depending by the user. This is why they use UID(User ID)/SID(Security ID) So for the example given above, files deleted by the user with `S-1-5-21-1906683221-3410317796-3976351031-1001` ID are located. Here comes a question. Who is the user using such SID? There are 2 ways finding who is who. These are things that are out of our scope, so we will handle it deeply in articles related with registry while simply introducing it in this ariticle. 1. On Live Systems ``` wmic useraccount get name,sid ``` ![[Untitled 21.png]] 2. On Dead Systems (Image Files) We can use registry values to extract the username. The following is the path used for it. You can use tools such as Regedit.exe or REGA to explore through registry hives. ``` HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList ``` ![[Untitled 22.png]] ### Recycle Bin structure By looking inside of sub folders, there are numerous files that looks random which is unreadable. Even it looks random, it is not randomly named files. There are some characteristics in the naming. Let’s get through some examples. 1. The first part of the file name is `$I` or `$R`. 2. there are exactly 2 files that use the same name after `$I/$R`. 3. The file extension remains. > [!Example] **EXAMPLE** > `$I2I92ZR.lnk` — `$R2I92ZR.lnk` > `$I` / `2I92ZR` / `.lnk` — `$R` / `2I92ZR` / `.lnk` > > There are many questions about the random looking names. The truth is, they are not random! The value is the inode number for the original file converted into hex value. > > Let’s learn about the characteristics of files using inode values respectively. **$I File** The meaning of I is from Info2. Which contains metadata of deleted files, there are list of metadata given in the table below. (It differs by Windows versions and the information in the given table is from Windows 10 sample.) | | | | | ------ | ---- | ------------------ | | Offset | Size | Description | | 0x00 | 8 | Header | | 0x08 | 8 | File Size | | 0x10 | 8 | File Deletion time | | 0x18 | 520 | Original File Path | **$R File** R means data. There is no way to answer if you ask why R represents Data… So the $R file contains the binary data of a deleted file. When excluding the metadata, the $R file is exactly identical with original file. Therefore if you want to fully recover deleted files, you must have the $R file. ### Artifact Traits As previously mentioned, Recycle bin is meant to be places for temporary keeping deleted files. By the word temporary the deleted data is not kept forever. By this information, it induces the fact the maximum size of recycle bin is designated. The actual size of a recycle bin is shown in the attributes of recycle bin. The default size was 26.44GB which might vary by the size of disk so its not the precise initial size. About 5%~10% of the partition size is allocated for the recycle bin size. For files exceeding the size of recycle bin they are deleted permanently. For similar scenarios such as files that are smaller than recycle bin size but if files are full in the recycle bin, the system permanently deletes oldest files. ![[Untitled 23.png]] ## Conclusion When recovering a deleted file, analyzing recycle bin artifact should be preceded by file carving. Because most users do not permanently delete files using SHIFT-DEL command, they frequently drag&drop the files in the recycle bin icon on their desktop. But if the target file is bigger than 5%~10% of the system, there is high chance that it is permanently deleted. In conclusion when a file is deleted, it follows the process given below. Understanding of deletion process of a file will let you know informations such as how to recover a deleted file or who deleted a file or when was the file deleted. ![[Untitled 24.png]]