Digital dumpster diving: Exploring the intricacies of recycle bin forensics

The content of this post is solely the responsibility of the author.  AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article. 

In the vast realm of digital investigations, there exists a fascinating technique known as recycle bin forensics. Delving into the depths of this captivating field unveils a world where seemingly deleted files can still reveal their secrets, allowing digital detectives to reconstruct user activities and uncover valuable information. So, let's embark on a journey to demystify recycle bin forensics and understand its role in the realm of cybersecurity.

Recycle bin forensics is a specialized branch of digital forensics that focuses on the retrieval and analysis of deleted files from the recycle bin or trash folder. This intriguing technique holds the potential to unlock a treasure trove of evidence, shedding light on cybercrimes and aiding in the investigation process.

To comprehend the intricacies of recycle bin forensics, it's essential to grasp how the recycle bin functions.

When you delete a file on your computer, it often finds its way to the recycle bin or trash folder. It's a convenient feature that allows you to recover accidentally deleted files with a simple click. But did you know that even after you empty the recycle bin, traces of those files may still linger on your system?

Welcome to the fascinating realm of recycle bin forensics, where digital detectives can uncover valuable information and shed light on a user's activities.

Location of Deleted files

C:\RECYCLED          Win 95/98/Me

C:\RECYCLER          Win NT/2000/ XP

C:\$Recycle.bin         Win Vista and later

Metadata file

INFO2(Win 95/98/Me)

C:\RECYCLER\SID*\INFO2 (Win NT/2000/XP) (SID denotes security identifier)

Windows Vista and later

C:\Recycle.bin\SID*\$I******(Contains Metadata)

C:\Recycle.bin\SID*\$R******(Contents of deleted file)

Both files will be renamed to a random 6-character value. These directories are hidden by default; however, you can access them using command prompt with elevated privileges (Run as administrator) on your windows system using command dir /a.

Recycle bin forensics assumes a critical role in digital investigations, enabling law enforcement agencies, cybersecurity experts, and forensic analysts to piece together the puzzle. By analyzing deleted files, forensic professionals can reconstruct a timeline of events, unearth vital evidence, and recover seemingly lost data, aiding in the pursuit of justice.

Unveiling the secrets hidden within the recycle bin requires specialized tools and techniques. Forensic software empowers investigators to extract deleted files, even after the recycle bin has been emptied. Through careful analysis of file metadata, paths, and content, digital detectives can gain insights into file origins, modifications, and deletions, painting a clearer picture of the user's activities.

One such utility we will be using is $IPARSE which can be downloaded here.

Steps to find metadata related to a deleted file ($I****** file)

  • Run command prompt as administrator

command prompt as admin

  • cd .. (Twice)

cd in command line

  • after that use command dir /a and check if you are able to see $RECYCLE.BIN directory

dir recycle

  • cd $RECYCLE.BIN to go inside the directory and use command  dir /a

now you will see multiple entries starting with S in the list of directories.

recycle bin

To check users associated with the SID directories you can use command wmic useraccount get name,sid

SID directories

It will list all the users associated with SID's. After that copy any SID by selecting and using ctrl C (as well you can use tab key to autocomplete the SID after typing first few characters of SID).

Now, to move into the SID directory:

cd SID (paste the copied value)

for example, if the SID directory name was S-1-5-32

  • cd S-1-5-32

after that use command dir /a to list the components of that directory you shall see $I and $R files. In certain cases, only $I****** file will be available.

For illustration purposes, we are using files acquired from other systems.

drive d files

  • Now, create a folder and give a path to copy the file. Syntax would be file name "path" ($IABTIOW.doc "D:\Desktop\Test files\i files\TEST\Output”), you can alternatively use the copy command.

test files

  • Copy the file/folder name (while inside the said directory) and copy to path (where you wish to copy the said file or folder). The path can be copied by going in folder and clicking the address bar - your file will be copied and the associated software will try to open it, but won't be able to open (like photos app for png/jpeg files)

test files wont open

  • Extract and run the $Iparse utility you downloaded. Browse the directory/folder you copied $I files in. Now, browse to the directory where you want to put the result file at and provide a file name.

$iparse tool

Click on save. After that, you should be able to see an interface like below:

$iparse output

Then click parse. It will display the file for you if it has successfully parsed it - the output file will be in .tsv format. You can open the .tsv file with notepad or notepad++. Now, you will be able to see details pertaining to the said $I file.

While recycle bin forensics is a powerful tool, it is not without its challenges and limitations. As time progresses and new files are created and deleted, older remnants in the recycle bin may be overwritten, making the recovery of certain deleted files more challenging or even impossible. Additionally, the effectiveness of recycle bin forensics can vary based on the operating system and file system in use, presenting unique obstacles.

To protect sensitive information and thwart potential recovery through recycle bin forensics, implementing secure data deletion practices is vital. Merely emptying the recycle bin offers no guarantee of permanent erasure. Instead, employing specialized file shredding or disk wiping tools can ensure that deleted data is securely overwritten, rendering it irretrievable.

In conclusion, recycle bin forensics is a remarkable field that uncovers the hidden remnants of deleted files, holding the potential to transform investigations. As we navigate the digital landscape, understanding the power of recycle bin forensics reminds us of the importance of safeguarding our digital footprint. Through knowledge, diligence, and secure practices, we can protect our sensitive information and fortify the realm of cybersecurity for the benefit of all.

Article Link: Digital dumpster diving: Exploring the intricacies of recycle bin forensics | AT&T Cybersecurity