Recycle Bin ($I/$R Files)

windowsFilesystem & TimelineDisk Image

Location

C:\$Recycle.Bin\<SID>\

Description

Windows Recycle Bin containing $I files (metadata with original path, deletion timestamp, and file size) and $R files (actual deleted file content). Each user SID has a separate subfolder providing user attribution.

Forensic Value

The Recycle Bin preserves both metadata and content of deleted files attributed to specific user accounts. $I files record the original full file path, exact deletion timestamp, and file size even when $R content files are emptied. Attackers deleting tools or staging files often forget to empty the Recycle Bin. Recovering $R files can retrieve deleted malware samples, exfiltration scripts, or sensitive documents the attacker tried to destroy.

Tools Required

KAPERBCmd (Eric Zimmerman)AutopsyRecycle Bin Explorer

Acquisition Methods

FTK Imager Full Disk Image

windows — physical

EnCase Forensic Full Disk Image

windows — physical

dd / dc3dd Raw Disk Image

windows — physical

Guymager Full Disk Image

windows — physical

FTK Imager Logical Image (AD1)

windows — logical