The file INFO2 contains the metadata (file deletion date, original file path and file size) for the deleted items. on Windows 2000, NT, XP and 2003, the deleted items are renamed using a specific scheme and stored within the SID sub-folder which corresponds to the user who deleted the item. Windows recycle bin structure differs slightly between Windows operating systems. For Windows 2000, NT, XP and 2003, recycle bin artifacts are stored in 'INFO2' file which is located within the user's SID sub-folder at C:\RECYCLER\\$I# Windows recycle bin artifacts are maintained within a hidden system folder. Recycle bin artifacts retain valuable information related to the deleted item such as the name of the deleted item, the original location of the item before deletion, the size of the deleted item and the date and time when the item was deleted. Windows recycle bin is considered an essential source of evidence when conducting a forensic investigation, as any item that is deleted via File Explorer and from any recycle bin aware program will be initially placed into the recycle bin. The user then has the option to remove the items permanently or recover them in case they were deleted by mistake.ĭigital Forensics Value of Recycle Bin Artifacts Recycle bin is a temporary storage for the items that have been deleted by the user.
Windows Recycle Bin was first introduced with Windows 95 and continued until Windows 10.
Investigating Windows Recycle Bin Tuesday