1
2RIFIUTI2(1)          MS Windows recycle bin analysis tool          RIFIUTI2(1)
3
4
5

NAME

7       rifiuti2 - MS Windows recycle bin analysis tool
8
9

SYNOPSIS

11       rifiuti or rifiuti-vista [-hv]
12
13       rifiuti [-x | [-n] [-t delim]] [-z] [-l codepage] [-o outfile] filename
14
15       rifiuti-vista  [-x  | [-n] [-t delim]] [-z] [-o outfile] file_or_direc‐
16       tory
17
18

DESCRIPTION

20       Rifiuti2 analyse recycle bin files from Windows.  Analysis  of  Windows
21       recycle  bin  is usually carried out during Windows computer forensics.
22       Rifiuti2 can extract file deletion time,  original  path  and  size  of
23       deleted  files  and  whether the deleted files have been moved out from
24       the recycle bin since they are trashed.
25
26       Rifiuti2 supports a wide range of Windows versions, from Windows 95  to
27       Windows  10.  The  command  used for analysis depends on the version of
28       Windows producing the recycle bin (not the version of users'  system!),
29       which uses vastly different format before and after Vista:
30
31       rifiuti-vista
32              For  Vista  or  later, which is located in \$Recycle.bin\<SID>\.
33              Each deleted file has its own accompanied index file remembering
34              the  original  path,  file  size and deletion time.  If original
35              file is permanentsly deleted, so is the index file.
36
37       rifiuti
38              For Windows 95 to XP/2003, which uses a single index file  named
39              INFO2 (98 or above) or INFO (95 and NT4) under either \RECYCLED\
40              (FAT 16/32) or \RECYCLER\<SID>\ (NTFS).  This file  keeps  track
41              record  for  deletion status and info for all deleted items, in‐
42              cluding those permanently removed or restored.
43
44
45       By default, both programs dump tab-delimited fields  on  screen,  which
46       can be viewed on screen or imported into spreadsheet program. -x option
47       instructs program to dump XML formatted content instead.
48
49       Since 0.7.0 version, rifiuti2 output is in UTF-8 encoding only, includ‐
50       ing the case of writing file under Windows.
51
52       Index  field  has  different  meaning for pre-Vista and post-Vista ver‐
53       sions.  INFO2 has an index number for each of deletion item  indicating
54       the chronological order of items. For Vista version, it means the index
55       file name instead, which matches pattern “$Ixxxxxx.<ext>”, where  x  is
56       random alphanumeric character, and <ext> matches the extension of orig‐
57       inal deleted item.
58
59       Deleted time is represented in UTC time by default. Under tab-delimited
60       mode,  date/time  is presented in format recognized by spreadsheet pro‐
61       grams, while in XML mode ISO 8601 date/time format is used.  For  exam‐
62       ple,  3PM at 2014 X'mas represented in these modes would be respective‐
63       ly:
64              2014-12-25 15:00:00
65              2014-12-25T15:00:00Z
66
67       File size and file path are self-explanatory, but there are  some  spe‐
68       cial  issues  to  take  care about.  Refer to CAVEATS section below for
69       more detail.
70
71

OPTIONS

73       -o, --output=FILE
74              Write output to FILE.
75
76       -x, --xml
77              Output in XML format instead of tab-delimited values.  With  XML
78              mode,  all  plain text options are disallowed, and result is al‐
79              ways in UTF-8 encoding.  See below for plain text options.
80
81       -l, --legacy-filename=CODEPAGE
82              Show legacy filename if  available  (like  “D:\Progra~1\”),  and
83              specify  the  CODEPAGE used in the Windows system producing this
84              INFO2 file. Any encodings supported by  iconv(1)  can  be  used,
85              though  for  maximum accuracy of file name results, it is better
86              to stick with Microsoft codepages (such as CP850 or  CP1252  for
87              west European version, CP932 for Japanese, etc).
88
89              Note:  This option is mandatory if INFO2 file is created by Win‐
90              dows 95, 98 or ME, since recycle bins under these OS don't  con‐
91              tain  Unicode  file name. This option does not exist in rifiuti-
92              vista.
93
94       -z, --localtime
95              Present deletion time in numeric time zone of local system  run‐
96              ning  the  program.  By default, UTC time is displayed, which is
97              the time value recorded in index files. Using the X'mas  example
98              above,  the time for Berlin (without daylight saving time) would
99              be 2014-12-25T16:00:00+0100 in ISO 8601 format.
100
101              Note: It is possible to use any timezone  of  users'  choice  by
102              setting  $TZ  environment variable, though not recommended.  See
103              ENVIRONMENT VARIABLE section below.
104
105
106   PLAIN TEXT OUTPUT OPTIONS
107       -t, --delimiter=STRING
108              String to use as delimiter (TAB by default). Other  than  normal
109              characters, several escape sequences are also recognised:
110              \r (carriage return)
111              \n (line feed)
112              \t (tab)
113              \e (escape)
114
115       -n, --no-heading
116              Don't show recycle bin path name, metadata and field headers
117
118       -8, --always-utf8
119              (Option deprecated since 0.7.0 version)
120
121   MISCELLANEOUS OPTIONS
122       -v, --version
123              Print version information and exit.
124
125       -h, --help
126              Show help options and exit.
127
128       --help-all
129              Show all help options and exit.
130
131       --help-text
132              Show plain text output options and exit.
133

EXAMPLES

135       rifiuti-vista -x -z -o result.xml \case\S-1-2-3\
136              Scan  for  index files under \case\S-1-2-3\, adjust all deletion
137              time for local time zone, and write XML output to result.xml
138
139       rifiuti-vista -n \case\S-1-2-3\
140              Show tab-delimited result on screen without header and metadata
141
142       rifiuti-vista -t '\r\n' \case\S-1-2-3\$IF96NJ3.rtf
143              Only analyse a single index file and print each field in its own
144              line
145
146       rifiuti -t ',' -o result.csv INFO2
147              Change  tab-delimited result to comma-delimited and write to re‐
148              sult.csv
149
150       rifiuti -l CP1255 -n INFO2
151              Assuming INFO2 from Hebrew version of Windows, display 8.3  file
152              names without header and metadata
153
154

ENVIRONMENT VARIABLES

156       The following environment variables affect execution of program:
157
158
159       LANG / LC_MESSAGES / LC_ALL / LANGUAGE
160              Listed in order of increasing importance, these variables deter‐
161              mine the translation to use. They belong to the group of  locale
162              environment  variables.  In general, these variables are already
163              properly set up on Unix-like systems, while unused  on  Windows.
164              Please  consult relevant document of user's operating system for
165              more detail.
166
167       LANG / LC_CTYPE / LC_ALL
168              If recycle bin path contains non-ASCII  character,  these  vari‐
169              ables  affect  how  they  are  displayed, in a manner similar to
170              translation related variables described above. However it is not
171              recommended  to  modify them, as since 0.7.0 version rifiuti2 no
172              more expects any environment using non UTF-8 encoding.
173
174       RIFIUTI_DEBUG
175              Setting it to any non-empty value would cause programs to  print
176              more debugging output to stderr.
177
178       TZ
179              If  non-empty,  indicate user-specified time zone when -z option
180              is used. Normally the time zone  information  is  obtained  from
181              system  and  there  is no need to set this variable. However, it
182              can be used as a facility to temporarily override  timezone  for
183              some  programs, which can be used for situations like construct‐
184              ing timeline event.
185
186              This value is OS dependent. For example, for timezone in Los An‐
187              geles,  the  value for Windows is “PST8PDT”, while corresponding
188              value on Linux would be  “America/Los_Angeles”.  Please  consult
189              manual for your operating system for more info.
190
191              Please  see  CAVEATS  section below for problems when using this
192              variable.
193
194

EXIT STATUS

196       Both programs return 0 on success, and greater than 0 if error occurs.
197
198       In particular, rifiuti-vista would exit with the latest non-zero status
199       when error is encountered in any of the index files.
200
201
202       1      Wrong command line argument
203
204       2      Error when opening file or directory
205
206       3      Recycle bin data fails basic validation
207
208       4      Error when writing output to file
209
210       5      User supplied wrong encoding for legacy path
211
212

HISTORY

214       Rifiuti2  is  a rewrite of rifiuti, a tool of identical purpose written
215       by Foundstone which was later purchased by  McAfee.  Quoting  from  the
216       original FoundStone page:
217
218              Many computer crime investigations require the reconstruction of
219              a subject's Recycle Bin. Since this analysis technique  is  exe‐
220              cuted  regularly,  we researched the structure of the data found
221              in the Recycle Bin repository files (INFO2 files). Rifiuti,  the
222              Italian  word meaning "trash", was developed to examine the con‐
223              tents of the INFO2 file in the Recycle Bin. ... Rifiuti is built
224              to  work  on  multiple  platforms  and  will  execute on Windows
225              (through Cygwin), Mac OS X, Linux, and *BSD platforms.
226
227
228       However, since the original rifiuti (last updated 2004)  can't  analyze
229       recycle  bin  from any localized version of Windows (restricted to Eng‐
230       lish), this rewrite effort is born to overcome  the  limitation.  Later
231       rifiuti2  was improved to add support for Vista format recycle bin, XML
232       output and other extra features not available from original version.
233
234

CAVEATS

236       In very special circumstance (which author can't reproduce now),  index
237       file  of certain deleted item can be corrupt, causing incorrect deleted
238       file size to be stored. There is no way to report correct  size.   This
239       problem  was  only  observed in Vista though, not any other versions of
240       Window.
241
242       Non-ASCII deleted item path name may not be always displayed  appropri‐
243       ately  on console. Although great care is taken to display path name as
244       much as possible (resorting to escaped hex  <\XX>  or  escaped  unicode
245       <\uXXXX>  in case of invalid or invisible characters), the font used in
246       console might not be able to display all characters needed. Dumping re‐
247       sult into file and open with UTF-8 capable text editor is an option.
248
249       It is always better to use UTC time whenever possible, because calcula‐
250       tion of local time might not be correct, especially for  non-US  users.
251       Documentation of _tzset() function on Windows has this statement:
252              The  C run-time library assumes the United States' rules for im‐
253              plementing the calculation of daylight saving time (DST).
254       Since the difference between standard time and DST is hardcoded  to  be
255       one  hour  (which  is  incorrect  for a few selected regions), the file
256       deletion time might not be correct for these regions when DST is in ef‐
257       fect.
258
259       File  size  can mean the real size of deleted file, or the cluster size
260       it occupies on filesystem, depending on recycle bin format. As  a  rule
261       of  thumb,  if all sizes of entries are multiples of 512, it can be as‐
262       sumed the concerned sizes refer to cluster size.
263
264

REPORTING BUGS

266       Report bugs to
267
268              https://github.com/abelcheung/rifiuti2/issues
269
270       Information about rifiuti2 can be found on
271
272              https://abelcheung.github.io/rifiuti2/
273
274

SEE ALSO

276       Open Digital Evidence Search and Seizure  Architecture  project,  which
277       contains the original rifiuti tool
278              http://odessa.sourceforge.net/
279
280       Windows 10 Recycle Bin Index Structure, by BlackBag Technologies
281              https://www.blackbagtech.com/blog/2017/01/19/examining-the-win
282              dows-10-recycle-bin/
283
284       $Recycle.Bin Forensics for Windows 7 and Windows Vista, by  Timothy  R.
285       Leschke
286              https://pdfs.semanticschol
287              ar.org/db62/a02a2f90c569200bf37ead369221e04393d8.pdf
288
289       INFO2 recycle bin file example, by Steve Hailey
290              http://www.cyber-ssct.com/resources/INFO2.pdf
291
293       Part of the work of rifiuti2 is derived from Rifiuti.  Both  pieces  of
294       software are licensed under the simplified BSD license.
295
296

AUTHOR

298       The main author of rifiuti2 is Abel Cheung <abelcheung@gmail.com>
299
300       The    original    author    of    rifiuti    is    Keith    J.   Jones
301       <keith.jones@foundstone.com>
302
303       Anthony Wong <ypwong@debian.org> helped in Debian packaging and was au‐
304       thor of the original manpage.
305
306
307
3080.7.0                              May 2015                        RIFIUTI2(1)
Impressum