Windows Recycle Bin Forensics

6 min readDec 6, 2023

The Recycle Bin

The Recycle Bin is a feature in Microsoft Windows that acts as a temporary storage location for files and folders that have been deleted by the user. Instead of immediately deleting files when a user chooses to delete them, Windows moves the deleted items to the Recycle Bin. This provides a safety net in case a user accidentally deletes something important, as items in the Recycle Bin can be easily restored.

Where is the recycle bin located?

In Windows XP and earlier versions of Windows, the Recycle Bin data is stored in a hidden directory at the root of each drive, and it’s named “RECYCLER” This directory contains a system folder with a unique identifier for each user, and it’s where the Recycle Bin stores the deleted files.

For example:

C:\RECYCLER\S-1–5–21-… (followed by a unique user identifier)

In Windows 10 and more recent versions of Windows, including Windows 8 and Windows 7, the structure has changed, and the Recycle Bin data is stored in a hidden directory named “$Recycle.Bin” at the root of each drive. Like in Windows XP, it contains a system folder with a unique identifier for each user.

For example:

C:\$Recycle.Bin\S-1–5–21-… (followed by a unique user identifier)

The identifiers following the “S-1–5–21” part will be unique to each user account on the system. **The use of unique identifiers ensures that each user’s deleted files are stored separately within the Recycle Bin.

As it can be seen in this image, in order to list the different user directories we must use the following command, which reveals hidden files:

dir /a:h

Furthermore, by using the next command, we can correlate every user with its SID to know what directory pertains to which user:

wmic useraccount get name,sid

wmic: This is the command-line interface to WMI. WMI is a set of extensions to the Windows Driver Model that provides an operating system interface through which instrumented components provide information and notification.
useraccount: This specifies the WMI class that you want to query. In this case, it refers to the "UserAccount" class, which represents user accounts on the system.
get name,sid: This part of the command specifies the properties (attributes) of the "UserAccount" class that you want to retrieve. It indicates that you want to retrieve information about the "name" (username) and "sid" (Security Identifier) properties.

Each of these directories contain the $I and $R files which are the responsibles for the ability of recovering files from the bin.

What are $I and $R files?

In the context of the Windows operating system, files with names starting with $I and $R are typically associated with the Recycle Bin. These files are used internally by the Recycle Bin to manage and store information about deleted files.

These files are part of the internal structure of the Recycle Bin, and users typically don’t interact with them directly. When a file is deleted, the Recycle Bin moves the file to its internal structure. It is in this when the $I files and $R files are created. The $I files store themetadata, and the $R file stores the file’s content. If a user chooses to restore a file from the Recycle Bin, these files are used to restore the file to its original location and state.

$I Files

Files with names starting with $I are known as INFO2 files. They store metadata information about each deleted file, such as the original file name, the date and time it was deleted, and other attributes. The $I files help the Recycle Bin maintain a record of the deleted files. Example: $I1234567890.log

Its structure is the following:

As it can be seen, the new $I structure has a new field which is File Name Length with an offset equal to 24. This will typically result in $I files from Windows 10 systems being smaller than in prior versions, since the $I file is only as large as it needs to be. In prior versions, each $I file was a static 544 bytes. While now, size will depend on this new field.

To open and check the content of $I files, we can use notepad:

notepad $IXXXXXXXX.ext

If we want to decipher the not available information, as it can be seen in the image, we can use the following parser $I Parse

$R Files

Files with names starting with $R are known as the Recycle Bin data files. These files store the actual data of deleted files. Each $R file corresponds to a specific deleted file and contains the file’s content. Example: $R1234567890.ext

The extension of the $R file corresponds to the original extension of the deleted file. To check its content, we need to copy this file outside the Recycle Bin directory in order to proceed with its opening.

What happens to these files when the Recycle Bin is emptied?

When Recycle Bin in Windows is emptied, the associated `$I` (INFO2) and `$R` files are typically removed along with the deleted files. Emptying the Recycle Bin essentially means permanently deleting the items it contains. The process is normally the following:

1. User Deletes Files: When a user deletes a file, it is moved to the Recycle Bin, and corresponding `$I` and `$R` files are created.

2. User Empties Recycle Bin: When the user chooses to empty the Recycle Bin, all files, including their associated `$I` and `$R` files, are permanently deleted from the Recycle Bin.

3. Permanent Deletion: The deletion is considered permanent, and the space occupied by those files is marked as available for use by the file system.

It’s important to note that the specific behavior may depend on the Windows version and settings. Some users may have settings configured to bypass the Recycle Bin and permanently delete files immediately, in which case there may not be `$I` and `$R` files created.

Additionally, there are scenarios where specialized data recovery tools might be able to recover deleted files even after they’ve been emptied from the Recycle Bin. However, in the normal operation of the Recycle Bin, emptying it is designed to remove all traces of the deleted files.

Secure Data Deletion

Different to what most people think, when a file is deleted by using the Recycle Bin, the file is not immediately and permanently removed from the hard drive. Instead, what happens is that the file is unallocated from the hard drive impeding the user to access to the file, but the data is still stored inside the drive. In other words, when a file is deleted from your computer, the only data erased from the hard drive is a small bit of information that points to the location of the file. The actual file remains on the hard drive, until it is overwritten by new data.

This allows it retrieving with common software tools, allowing non-authorized actors to read the data if they are able to gain access into the hard drive.

To safely delete a file and ensure that none of its data remains in the filesystem, you need to use secure deletion methods that overwrite the file’s data before removing it. To learn more about secure data deletion, you can consult the following article.