What is the “Recycle Bin” Windows forensic artifact?

The Windows Recycle Bin is a system-level hidden directory that acts as a temporary holding area for files deleted by a user before they are permanently removed from the storage volume. In modern Windows operating systems, this artifact is located at the root of every logical drive within the $RECYCLE.BIN directory. When a user deletes a file via standard methods, Windows does not immediately destroy the data. Instead, it moves the file into a subfolder named after the user’s Security Identifier (SID).

Within this specific SID folder, the operating system splits the deleted file’s identity into two distinct components that share a randomly generated alphanumeric string. The first is the $R file, which retains the original extension and contains the actual binary data of the deleted file. The second is the $I file, an index component created at the exact moment of deletion. The $I file stores critical restorative metadata, specifically the original absolute file path, the original file size, and the precise timestamp of when the deletion occurred.

For a DFIR investigator, the $RECYCLE.BIN is a fundamental artifact for proving intent, attributing actions to specific accounts, and reconstructing a timeline of data destruction. Analyzing the $I file allows an investigator to definitively determine when a file was deleted and where it originally resided, even if the user subsequently emptied the bin and the $R data file was completely overwritten. Because the deleted artifacts are strictly isolated into specific SID folders, investigators can irrefutably link the act of deletion to the exact user account that executed it. This capability is invaluable for tracking the removal of malicious payloads, identifying anti-forensic attempts to mask activity, or proving the intentional destruction of sensitive intellectual property.

Enterprise Forensic Applications

The Recycle Bin is a crucial artifact for identifying evidence spoliation and attacker cleanup phases. During Insider Risk and HR Investigations, TensorGuard automates the parsing of $I files across an endpoint to instantly reveal if a departing employee attempted to destroy confidential documents, financial records, or proprietary source code prior to their exit. Furthermore, in rapid incident response scenarios, analyzing the Recycle Bin at scale can uncover the remnants of staging directories and deleted malware droppers, providing immediate indicators of compromise even after an adversary has attempted to wipe their footprint from the environment.

Collecting, Decoding, and Viewing “Recycle Bin” with TensorGuard

1. Create a TensorGuard account and sign in to the TensorGuard console at https://app.tensorguard.com.
2. Select “Case Manager”, then the plus button to create a case. This will contain your enrolled devices, their reports, and any manually submitted collections.
3. Linked inside the case menu, download the TensorGuard Forensic Collector and run it on your target system.
4. In the console, click the plus button for “New Enrollment”, copy the enrollment key, and paste it into the TensorGuard Forensic Collector on your target device.
5. Now that you have a device enrolled, select the device(s), and click “Send Signal”. Answer the questions regarding what you want to look for in the analysis, any alerting on positive findings, and if the collection and analysis should be recurring.
6. Once the report is generated, you’ll have Recycle Bin delivered in the browser, alongside an executive summary and timeline of findings.