Recycle Bin ($I/$R Files)

WindowsFilesystem & TimelineDisk Image

Location

C:\$Recycle.Bin\<SID>\

Description

Windows Recycle Bin containing $I files (metadata with original path, deletion timestamp, and file size) and $R files (actual deleted file content). Each user SID has a separate subfolder providing user attribution.

Forensic Value

The Recycle Bin preserves both metadata and content of deleted files attributed to specific user accounts. $I files record the original full file path, exact deletion timestamp, and file size even when $R content files are emptied. Attackers deleting tools or staging files often forget to empty the Recycle Bin. Recovering $R files can retrieve deleted malware samples, exfiltration scripts, or sensitive documents the attacker tried to destroy.

Tools Required

KAPERBCmd (Eric Zimmerman)AutopsyRecycle Bin Explorer

Collection Commands

KAPE

kape.exe --tsource C: --tdest C:\output --target RecycleBin

RBCmd

RBCmd.exe -d "C:\$Recycle.Bin" --csv C:\output --csvf RecycleBin.csv

PowerShell

Get-ChildItem "C:\$Recycle.Bin" -Recurse -Force | Select-Object FullName, Length, LastWriteTime | Export-Csv C:\output\recycle_bin_listing.csv

Collection Constraints

•Availability, retention, and field coverage depend on the Windows release, SKU, per-host audit policy, and user activity. Treat absence as inconclusive unless you verified the feature was enabled.

MITRE ATT&CK Techniques

T1070.004T1485

References

Windows PowerShell Logging NTFS Change Journals Additional LSA Protection

Acquisition Methods

KAPE Triage Collection

windows — triage

FTK Imager Logical Image (AD1)

windows — logical

Velociraptor Remote Collection

windows — remote