When a user presses Delete, Windows does not destroy the file — it moves the original content to a hidden, per-user directory and creates a companion metadata record that preserves the original path, deletion timestamp, and file size. For investigators, the Recycle Bin is frequently the first place to look for evidence a subject believed they had destroyed.
What Is $Recycle.Bin?
The $Recycle.Bin directory is a hidden system folder located at the root of every NTFS volume. When a file is deleted through the Windows shell (Explorer, right-click delete, Delete key), it is not immediately removed from the file system. Instead, Windows performs two operations: it renames the original file with a new identifier prefixed by $R and moves it into the user’s SID-specific subdirectory under $Recycle.Bin, and it creates a corresponding $I file that contains metadata about the deletion — specifically the original full path, the deletion timestamp, and the original file size.
This two-file architecture means that even when a user “empties” the Recycle Bin, forensic recovery is often still possible. Emptying the Recycle Bin deletes the $I and $R files from the $Recycle.Bin directory, but the underlying NTFS $MFT entries and file data may persist in unallocated space until overwritten. The $I metadata files are small (typically 28–544 bytes depending on path length) and often survive in MFT slack space or $MFT resident data even after the Recycle Bin has been emptied.
Each user on the system has their own subdirectory named by their Security Identifier (SID). This means that deleted files are attributable to a specific user account. A file deleted by S-1-5-21-xxx-1001 will appear in C:\$Recycle.Bin\S-1-5-21-xxx-1001\, providing per-user attribution of deletion activity.
The $I file is the metadata record; the $R file is the original content. Both share the same random identifier suffix. If the $R file has been overwritten but the $I file persists, you still know what was deleted, when, and from where — even without the file content.
Location & Format
File Paths
| Component | Path | Notes |
|---|---|---|
| Root directory | C:\$Recycle.Bin\ | Hidden, system-protected; exists on every NTFS volume |
| User subdirectory | C:\$Recycle.Bin\{SID}\ | Per-user SID directory; attributes deletion to specific account |
| $I metadata file | $I<random>.<ext> | Binary file containing original path, deletion time, file size |
| $R content file | $R<random>.<ext> | The original file content, renamed with matching identifier |
$I File Binary Format (Windows 10+)
| Offset | Size | Field | Description |
|---|---|---|---|
0x00 | 8 bytes | Header/Version | Version 2 = 02 00 00 00 00 00 00 00 |
0x08 | 8 bytes | File Size | Original file size in bytes (little-endian int64) |
0x10 | 8 bytes | Deletion Timestamp | Windows FILETIME (100-ns intervals since 1601-01-01 UTC) |
0x18 | 4 bytes | Path Length | Length of original path string in characters (Win10+ only) |
0x1C | Variable | Original Path | UTF-16LE encoded full original file path |
Windows Vista through Windows 8.1 used Version 1 of the $I format, which had a fixed 520-byte path field (260 UTF-16LE characters, null-padded). Windows 10 introduced Version 2, which uses a variable-length path with an explicit length field at offset 0x18. RBCmd handles both formats automatically.
What It Reveals
The Recycle Bin provides direct answers to critical forensic questions:
- What was the original file path? — The $I file stores the complete original path, including drive letter, directory structure, and filename.
- When was the file deleted? — The deletion timestamp in the $I file records the exact moment the file was moved to the Recycle Bin, with 100-nanosecond precision.
- How large was the original file? — The $I file records the original file size. Even if the $R content file is gone, the size metadata persists.
- Who deleted it? — The SID-based directory structure attributes the deletion to a specific user account.
- Is the original content recoverable? — If the $R file still exists, the full original file content is intact and can be extracted directly.
- Was the Recycle Bin emptied? — The absence of $I/$R pairs, combined with $MFT entries showing their creation and deletion, proves the user emptied the Recycle Bin.
- Were specific file types targeted? — Patterns in deleted files (all .docx, all from a specific directory) reveal intent.
- Was a cover-up attempted? — Deletion of sensitive files immediately before resignation or termination is powerful circumstantial evidence.
The combination of original path + deletion timestamp + file size + user SID in a single artifact makes the Recycle Bin one of the most attribution-ready artifacts in Windows forensics. You can prove who deleted what, when, and from where in a single parse.
Forensic Use Cases
1. Spoliation Detection
An employee under litigation hold deletes 847 documents from C:\Users\jdoe\Documents\Project_Alpha\ at 23:14 on the night before their laptop is scheduled for forensic collection. The $I files in their SID directory show a burst of deletions concentrated within a 6-minute window, all from the same project directory. Even though the user then empties the Recycle Bin, the $MFT records the creation and subsequent deletion of the $I/$R pairs, proving the emptying operation occurred at 23:22 — eight minutes after the mass deletion began.
2. Data Staging Identification
An insider copies 4,200 files to C:\Users\jdoe\Desktop\upload_staging\, uploads them via a cloud sync tool, then deletes the staging directory. The Recycle Bin contains $I files showing the original paths within the staging directory, with deletion timestamps immediately following SRUM network transfer entries. The staging-then-deletion pattern proves the files were collected, exfiltrated, and then cleaned up.
3. Malware Artifact Recovery
A threat actor drops a RAT into C:\ProgramData\svchost_update.exe, executes it, then deletes the dropper. The $R file in the Recycle Bin contains the complete malware binary, fully intact and hashable. The $I metadata confirms the original path in ProgramData and the exact time of deletion, allowing correlation with process creation events in Security.evtx.
4. Intellectual Property Theft Timeline
A departing employee deletes proprietary CAD files from their work directory over a 3-week period, attempting to make it appear that the files were never present. The Recycle Bin $I files, recovered from unallocated space using $MFT carving, show a progressive deletion pattern: 12 files on March 3, 28 files on March 10, and 156 files on March 17 — the day the employee gave notice.
5. Ransomware Pre-Encryption Cleanup
Some ransomware families delete Volume Shadow Copies and empty the Recycle Bin as part of their pre-encryption routine. The absence of Recycle Bin contents on a ransomware-affected system, combined with event log entries showing vssadmin delete shadows execution, confirms the ransomware performed anti-recovery operations. Timestamps of the emptying operation pinpoint the start of the attack’s destructive phase.
Acquisition Methods
The $Recycle.Bin directory is hidden and protected by system attributes. Standard directory listings will not show it. Use dir /a:hs on Windows, or mount the forensic image and navigate directly. Always collect the entire $Recycle.Bin directory tree — the SID subdirectory structure provides user attribution.
Live System — Direct Copy
:: List all SID directories in the Recycle Bin dir /a:dhs C:\$Recycle.Bin\ :: Copy entire Recycle Bin contents for all users robocopy C:\$Recycle.Bin C:\Evidence\RecycleBin /E /COPY:DAT /A-:SH /ZB :: Using KAPE for targeted collection kape.exe --tsource C: --tdest C:\Evidence\KAPE_Output --target RecycleBin
Forensic Image — Extraction
# Mount forensic image read-only mount -o ro,noexec,nodev /dev/sdb1 /mnt/evidence # Copy entire Recycle Bin tree (preserves SID directories) cp -r /mnt/evidence/\$Recycle.Bin/ /analysis/recyclebin/ # List all $I files recursively find /mnt/evidence/\$Recycle.Bin/ -name '$I*' -ls
Parsing Tools & Analysis
| Tool | Author | License | Output | Notes |
|---|---|---|---|---|
| RBCmd | Eric Zimmerman | Free | CSV | Industry standard; handles both v1 (Vista-8.1) and v2 (10+) formats |
| Rifiuti2 | Rifiuti Project | Open source | CSV/XML | Cross-platform; also handles legacy INFO2 (pre-Vista) format |
| Autopsy | Sleuth Kit | Open source | GUI | Built-in Recycle Bin analysis module with automatic $I parsing |
| X-Ways Forensics | X-Ways | Commercial | GUI + export | Native Recycle Bin parsing with original path display |
| FTK Imager | Exterro | Free | GUI | Can browse $Recycle.Bin contents directly from forensic images |
Parsing with RBCmd
:: Parse all $I files in a collected Recycle Bin directory RBCmd.exe -d C:\Evidence\RecycleBin --csv C:\Analysis\RB_Output :: Parse a single $I file RBCmd.exe -f C:\Evidence\RecycleBin\S-1-5-21-xxx\$IABCDEF.docx :: Output columns: SourceName, FileSize, DeletedOn, FullPath
Manual $I Parsing (Python)
import struct, datetime def parse_i_file(path): with open(path, 'rb') as f: data = f.read() version = struct.unpack_from('<Q', data, 0)[0] file_size = struct.unpack_from('<Q', data, 8)[0] filetime = struct.unpack_from('<Q', data, 16)[0] deleted = datetime.datetime(1601,1,1) + datetime.timedelta(microseconds=filetime//10) if version == 2: # Windows 10+ path_len = struct.unpack_from('<I', data, 24)[0] orig_path = data[28:28+path_len*2].decode('utf-16-le') else: # Vista through 8.1 orig_path = data[24:24+520].decode('utf-16-le').rstrip('\x00') return {'size': file_size, 'deleted': deleted, 'path': orig_path}
Retention & Persistence
| Property | Details |
|---|---|
| Retention period | Until user empties Recycle Bin, or automatic cleanup when volume exceeds threshold |
| Default max size | ~5% of volume capacity (configurable via Recycle Bin Properties) |
| Survives reboot | Yes — on-disk artifact |
| Survives user profile deletion | SID directory may be orphaned but persists until manually cleaned |
| Shift+Delete bypass | Shift+Delete bypasses the Recycle Bin entirely — no $I/$R files created |
| Command-line deletion | del / rm from command prompt bypasses Recycle Bin — no $I/$R files |
Version Differences
| Feature | Pre-Vista (INFO2) | Vista – 8.1 ($I v1) | Windows 10+ ($I v2) |
|---|---|---|---|
| Container | C:\RECYCLER\{SID}\INFO2 | C:\$Recycle.Bin\{SID}\$I* | C:\$Recycle.Bin\{SID}\$I* |
| Metadata storage | Single INFO2 database file | Individual $I file per deleted item | Individual $I file per deleted item |
| Path field | 260 ANSI + 260 Unicode chars | Fixed 520 bytes (260 UTF-16LE) | Variable length with explicit length field |
| Path length limit | 260 characters | 260 characters | Supports long paths (32,767 chars) |
| Parsing tool | Rifiuti (original), Rifiuti2 | RBCmd, Rifiuti2 | RBCmd, Rifiuti2 |
On pre-Vista systems (Windows XP and earlier), the Recycle Bin used the C:\RECYCLER\ directory with a single INFO2 database file per SID. Rifiuti2 can parse both legacy INFO2 and modern $I formats.
Anti-Forensics Resilience
The Recycle Bin is a well-known forensic artifact and is targeted by cleanup tools more frequently than most Windows artifacts. However, multiple layers of forensic evidence survive even aggressive cleanup.
| Action | $I/$R Files | $MFT Record | $UsnJrnl Entry |
|---|---|---|---|
| Standard delete | Created in $Recycle.Bin | Updated with new filename | Rename + move entries logged |
| Empty Recycle Bin | $I/$R files deleted | $MFT entries marked as deleted (recoverable) | Delete entries logged |
| Shift+Delete | Never created | $MFT entry marked deleted directly | Delete entry logged |
| CCleaner cleanup | Empties Recycle Bin | $MFT deletion entries persist | Journal entries may age out |
cipher /w | Does not affect active files | Overwrites free-space data only | No effect on journal |
Even after the Recycle Bin is emptied, $I files are frequently recoverable from the $MFT. Because $I files are small (often under 544 bytes), they are stored as MFT-resident data — the file content is embedded directly in the MFT record. When the $I file is deleted, the MFT record is marked as deleted but not immediately overwritten, preserving the complete metadata.
MITRE ATT&CK Detection Mapping
Recycle Bin analysis supports detection of the following MITRE ATT&CK techniques:
| Technique | Name | Recycle Bin Evidence |
|---|---|---|
T1070.004 T1070.004 | File Deletion | $I files prove file existed and was deliberately deleted; timestamp proves when |
T1485 T1485 | Data Destruction | Mass deletion patterns in $I timestamps indicate bulk destruction |
T1074 T1074 | Data Staged | $I paths showing staging directories that were subsequently deleted |
T1005 T1005 | Data from Local System | Patterns of collected files visible in deletion records |
T1036 T1036 | Masquerading | $R files may contain renamed executables; original path in $I reveals true location |
Related Artifacts & Cross-References
Corroborating Artifacts
| Artifact | Relationship | Cross-Correlation Value |
|---|---|---|
| $MFT | MFT records for $I/$R files persist after emptying | Recovers deletion evidence after cleanup; resident $I data survives in MFT |
| $UsnJrnl | Journal records rename-to-$R and subsequent deletion events | Independent timestamp confirmation; proves Recycle Bin was emptied |
| $LogFile | NTFS transaction log records file system metadata changes | Short-term confirmation of move-to-Recycle-Bin operations |
| Shellbags | Records user navigation to $Recycle.Bin directory | Proves user opened Recycle Bin before emptying (intent evidence) |
| SRUM.db | Network usage by applications whose binaries were deleted | Links deleted executables to network activity |
| Prefetch | Execution records for deleted executables | Proves deleted programs were executed before deletion |
References
- Eric Zimmerman, “RBCmd — Recycle Bin Command Line Parser” — https://ericzimmerman.github.io/
- Rifiuti2, “Windows Recycle Bin Analyser” — https://github.com/abelcheung/rifiuti2
- SANS Institute, “Windows Forensics Poster — Recycle Bin Analysis” — https://www.sans.org/posters/
- 13Cubed, “Recycle Bin Forensics” — https://www.13cubed.com/
- Microsoft, “Shell Recycler” documentation — https://learn.microsoft.com
- ForensicArtifacts.com, “Windows Recycle Bin Artifact” — https://github.com/ForensicArtifacts/artifacts
- Harlan Carvey, “Windows Forensic Analysis Toolkit” — Recycle Bin chapter
- NIST SP 800-86, “Guide to Integrating Forensic Techniques into Incident Response”
Mjolnir Security — Digital Forensics & Incident Response
Mjolnir Security provides 24/7 incident response, digital forensics, and expert witness testimony. Our DFIR team specializes in deleted file recovery, insider threat investigations, and spoliation analysis where evidence has been deliberately destroyed.
mjolnirsecurity.com — 24/7: +1 833 403 5875