Desktop Trash & Recently Used Files

LinuxUser ActivityDisk Image

Location

/home/<username>/.local/share/Trash/ and /home/<username>/.local/share/recently-used.xbel

Description

FreeDesktop trash directory containing deleted files (files/) and their metadata (info/ with .trashinfo files recording original path and deletion timestamp). Recently-used.xbel is an XML file tracking recently accessed files with timestamps and MIME types.

Forensic Value

The desktop Trash directory preserves deleted files and their original paths with deletion timestamps, similar to the Windows Recycle Bin. Users deleting sensitive files through the GUI leave recoverable copies here. The recently-used.xbel file provides a timeline of file access through desktop applications with full file paths and timestamps, useful for reconstructing user activity on systems with graphical desktop environments.

Tools Required

catfindgrepAutopsyxmllint

Collection Commands

find

find /home -path "*/.local/share/Trash" -exec tar czf /forensics/output/trash_dirs.tar.gz {} +

find

find /home -name "recently-used.xbel" -exec cp --parents {} /forensics/output/ \;

cat

cat /home/*/.local/share/Trash/info/*.trashinfo > /forensics/output/trash_metadata.txt

grep

grep -h "DeletionDate\|Path" /home/*/.local/share/Trash/info/*.trashinfo > /forensics/output/trash_summary.txt

Collection Constraints

•Paths and log sources vary by distribution, init system, logging stack, and installed packages. Validate the active distro and service set before treating absence as meaningful.

MITRE ATT&CK Techniques

T1070.004T1005T1083

References

systemd.timer Manual NetworkManager Keyfile Format sshd_config Manual systemd-resolved Service

Acquisition Methods

UAC (Unix-like Artifacts Collector)

linux — triage

tar Logical Collection

linux — logical

Velociraptor Offline Collector (Linux)

linux — triage