1RIFIUTI2(1) MS Windows recycle bin analysis tool RIFIUTI2(1)
3
7 rifiuti2 - MS Windows recycle bin analysis tool
8
11 rifiuti or rifiuti-vista [-hv]
12 rifiuti [-x | [-n] [-t delim]] [-z] [-l codepage] [-o outfile] filename
14 rifiuti-vista [-x | [-n] [-t delim]] [-z] [-o outfile] file_or_direc‐
16 tory
17
20 Rifiuti2 analyse recycle bin files from Windows. Analysis of Windows
21 recycle bin is usually carried out during Windows computer forensics.
22 Rifiuti2 can extract file deletion time, original path and size of
23 deleted files and whether the deleted files have been moved out from
24 the recycle bin since they are trashed.
25 Rifiuti2 supports a wide range of Windows versions, from Windows 95 to
27 Windows 10. The command used for analysis depends on the version of
28 Windows producing the recycle bin (not the version of users' system!),
29 which uses vastly different format before and after Vista:
30 rifiuti-vista
32 For Vista or later, which is located in \$Recycle.bin\<SID>\.
33 Each deleted file has its own accompanied index file remembering
34 the original path, file size and deletion time. If original
35 file is permanentsly deleted, so is the index file.
36 rifiuti
38 For Windows 95 to XP/2003, which uses a single index file named
39 INFO2 (98 or above) or INFO (95 and NT4) under either \RECYCLED\
40 (FAT 16/32) or \RECYCLER\<SID>\ (NTFS). This file keeps track
41 record for deletion status and info for all deleted items, in‐
42 cluding those permanently removed or restored.
43 By default, both programs dump tab-delimited fields on screen, which
46 can be viewed on screen or imported into spreadsheet program. -x option
47 instructs program to dump XML formatted content instead.
48 Since 0.7.0 version, rifiuti2 output is in UTF-8 encoding only, includ‐
50 ing the case of writing file under Windows.
51 Index field has different meaning for pre-Vista and post-Vista ver‐
53 sions. INFO2 has an index number for each of deletion item indicating
54 the chronological order of items. For Vista version, it means the index
55 file name instead, which matches pattern “$Ixxxxxx.<ext>”, where x is
56 random alphanumeric character, and <ext> matches the extension of orig‐
57 inal deleted item.
58 Deleted time is represented in UTC time by default. Under tab-delimited
60 mode, date/time is presented in format recognized by spreadsheet pro‐
61 grams, while in XML mode ISO 8601 date/time format is used. For exam‐
62 ple, 3PM at 2014 X'mas represented in these modes would be respective‐
63 ly:
64 2014-12-25 15:00:00
65 2014-12-25T15:00:00Z
66 File size and file path are self-explanatory, but there are some spe‐
68 cial issues to take care about. Refer to CAVEATS section below for
69 more detail.
70
73 -o, --output=FILE
74 Write output to FILE.
75 -x, --xml
77 Output in XML format instead of tab-delimited values. With XML
78 mode, all plain text options are disallowed, and result is al‐
79 ways in UTF-8 encoding. See below for plain text options.
80 -l, --legacy-filename=CODEPAGE
82 Show legacy filename if available (like “D:\Progra~1\”), and
83 specify the CODEPAGE used in the Windows system producing this
84 INFO2 file. Any encodings supported by iconv(1) can be used,
85 though for maximum accuracy of file name results, it is better
86 to stick with Microsoft codepages (such as CP850 or CP1252 for
87 west European version, CP932 for Japanese, etc).
88 Note: This option is mandatory if INFO2 file is created by Win‐
90 dows 95, 98 or ME, since recycle bins under these OS don't con‐
91 tain Unicode file name. This option does not exist in rifiuti-
92 vista.
93 -z, --localtime
95 Present deletion time in numeric time zone of local system run‐
96 ning the program. By default, UTC time is displayed, which is
97 the time value recorded in index files. Using the X'mas example
98 above, the time for Berlin (without daylight saving time) would
99 be 2014-12-25T16:00:00+0100 in ISO 8601 format.
100 Note: It is possible to use any timezone of users' choice by
102 setting $TZ environment variable, though not recommended. See
103 ENVIRONMENT VARIABLE section below.
104 PLAIN TEXT OUTPUT OPTIONS
107 -t, --delimiter=STRING
108 String to use as delimiter (TAB by default). Other than normal
109 characters, several escape sequences are also recognised:
110 \r (carriage return)
111 \n (line feed)
112 \t (tab)
113 \e (escape)
114 -n, --no-heading
116 Don't show recycle bin path name, metadata and field headers
117 -8, --always-utf8
119 (Option deprecated since 0.7.0 version)
120 MISCELLANEOUS OPTIONS
122 -v, --version
123 Print version information and exit.
124 -h, --help
126 Show help options and exit.
127 --help-all
129 Show all help options and exit.
130 --help-text
132 Show plain text output options and exit.
133
135 rifiuti-vista -x -z -o result.xml \case\S-1-2-3\
136 Scan for index files under \case\S-1-2-3\, adjust all deletion
137 time for local time zone, and write XML output to result.xml
138 rifiuti-vista -n \case\S-1-2-3\
140 Show tab-delimited result on screen without header and metadata
141 rifiuti-vista -t '\r\n' \case\S-1-2-3\$IF96NJ3.rtf
143 Only analyse a single index file and print each field in its own
144 line
145 rifiuti -t ',' -o result.csv INFO2
147 Change tab-delimited result to comma-delimited and write to re‐
148 sult.csv
149 rifiuti -l CP1255 -n INFO2
151 Assuming INFO2 from Hebrew version of Windows, display 8.3 file
152 names without header and metadata
153
156 The following environment variables affect execution of program:
157 LANG / LC_MESSAGES / LC_ALL / LANGUAGE
160 Listed in order of increasing importance, these variables deter‐
161 mine the translation to use. They belong to the group of locale
162 environment variables. In general, these variables are already
163 properly set up on Unix-like systems, while unused on Windows.
164 Please consult relevant document of user's operating system for
165 more detail.
166 LANG / LC_CTYPE / LC_ALL
168 If recycle bin path contains non-ASCII character, these vari‐
169 ables affect how they are displayed, in a manner similar to
170 translation related variables described above. However it is not
171 recommended to modify them, as since 0.7.0 version rifiuti2 no
172 more expects any environment using non UTF-8 encoding.
173 RIFIUTI_DEBUG
175 Setting it to any non-empty value would cause programs to print
176 more debugging output to stderr.
177 TZ
179 If non-empty, indicate user-specified time zone when -z option
180 is used. Normally the time zone information is obtained from
181 system and there is no need to set this variable. However, it
182 can be used as a facility to temporarily override timezone for
183 some programs, which can be used for situations like construct‐
184 ing timeline event.
185 This value is OS dependent. For example, for timezone in Los An‐
187 geles, the value for Windows is “PST8PDT”, while corresponding
188 value on Linux would be “America/Los_Angeles”. Please consult
189 manual for your operating system for more info.
190 Please see CAVEATS section below for problems when using this
192 variable.
193
196 Both programs return 0 on success, and greater than 0 if error occurs.
197 In particular, rifiuti-vista would exit with the latest non-zero status
199 when error is encountered in any of the index files.
200 1 Wrong command line argument
203 2 Error when opening file or directory
205 3 Recycle bin data fails basic validation
207 4 Error when writing output to file
209 5 User supplied wrong encoding for legacy path
211
214 Rifiuti2 is a rewrite of rifiuti, a tool of identical purpose written
215 by Foundstone which was later purchased by McAfee. Quoting from the
216 original FoundStone page:
217 Many computer crime investigations require the reconstruction of
219 a subject's Recycle Bin. Since this analysis technique is exe‐
220 cuted regularly, we researched the structure of the data found
221 in the Recycle Bin repository files (INFO2 files). Rifiuti, the
222 Italian word meaning "trash", was developed to examine the con‐
223 tents of the INFO2 file in the Recycle Bin. ... Rifiuti is built
224 to work on multiple platforms and will execute on Windows
225 (through Cygwin), Mac OS X, Linux, and *BSD platforms.
226 However, since the original rifiuti (last updated 2004) can't analyze
229 recycle bin from any localized version of Windows (restricted to Eng‐
230 lish), this rewrite effort is born to overcome the limitation. Later
231 rifiuti2 was improved to add support for Vista format recycle bin, XML
232 output and other extra features not available from original version.
233
236 In very special circumstance (which author can't reproduce now), index
237 file of certain deleted item can be corrupt, causing incorrect deleted
238 file size to be stored. There is no way to report correct size. This
239 problem was only observed in Vista though, not any other versions of
240 Window.
241 Non-ASCII deleted item path name may not be always displayed appropri‐
243 ately on console. Although great care is taken to display path name as
244 much as possible (resorting to escaped hex <\XX> or escaped unicode
245 <\uXXXX> in case of invalid or invisible characters), the font used in
246 console might not be able to display all characters needed. Dumping re‐
247 sult into file and open with UTF-8 capable text editor is an option.
248 It is always better to use UTC time whenever possible, because calcula‐
250 tion of local time might not be correct, especially for non-US users.
251 Documentation of _tzset() function on Windows has this statement:
252 The C run-time library assumes the United States' rules for im‐
253 plementing the calculation of daylight saving time (DST).
254 Since the difference between standard time and DST is hardcoded to be
255 one hour (which is incorrect for a few selected regions), the file
256 deletion time might not be correct for these regions when DST is in ef‐
257 fect.
258 File size can mean the real size of deleted file, or the cluster size
260 it occupies on filesystem, depending on recycle bin format. As a rule
261 of thumb, if all sizes of entries are multiples of 512, it can be as‐
262 sumed the concerned sizes refer to cluster size.
263
266 Report bugs to
267 https://github.com/abelcheung/rifiuti2/issues
269 Information about rifiuti2 can be found on
271 https://abelcheung.github.io/rifiuti2/
273
276 Open Digital Evidence Search and Seizure Architecture project, which
277 contains the original rifiuti tool
278 http://odessa.sourceforge.net/
279 Windows 10 Recycle Bin Index Structure, by BlackBag Technologies
281 https://www.blackbagtech.com/blog/2017/01/19/examining-the-win‐
282 dows-10-recycle-bin/
283 $Recycle.Bin Forensics for Windows 7 and Windows Vista, by Timothy R.
285 Leschke
286 https://pdfs.semanticschol‐
287 ar.org/db62/a02a2f90c569200bf37ead369221e04393d8.pdf
288 INFO2 recycle bin file example, by Steve Hailey
290 http://www.cyber-ssct.com/resources/INFO2.pdf
291
293 Part of the work of rifiuti2 is derived from Rifiuti. Both pieces of
294 software are licensed under the simplified BSD license.
295
298 The main author of rifiuti2 is Abel Cheung <abelcheung@gmail.com>
299 The original author of rifiuti is Keith J. Jones
301 <keith.jones@foundstone.com>
302 Anthony Wong <ypwong@debian.org> helped in Debian packaging and was au‐
304 thor of the original manpage.
3050.7.0 May 2015 RIFIUTI2(1)