Desktop Trash & Recently Used Files

linuxUser ActivityDisk Image

Location

/home/<username>/.local/share/Trash/ and /home/<username>/.local/share/recently-used.xbel

Description

FreeDesktop trash directory containing deleted files (files/) and their metadata (info/ with .trashinfo files recording original path and deletion timestamp). Recently-used.xbel is an XML file tracking recently accessed files with timestamps and MIME types.

Forensic Value

The desktop Trash directory preserves deleted files and their original paths with deletion timestamps, similar to the Windows Recycle Bin. Users deleting sensitive files through the GUI leave recoverable copies here. The recently-used.xbel file provides a timeline of file access through desktop applications with full file paths and timestamps, useful for reconstructing user activity on systems with graphical desktop environments.

Tools Required

catfindgrepAutopsyxmllint

Acquisition Methods

dd / dc3dd Raw Disk Image

linux — physical

dcfldd Forensic Disk Image

linux — physical

ewfacquire E01 Disk Image

linux — physical

Guymager Full Disk Image

linux — physical

tar Logical Collection

linux — logical