Monday, August 3, 2015

Windows 10 Recycle Bin Analys - RIFIUTI2



There are many tools available to recover data from the Windows recycle bin. However, the objective of this post is to identify a tool which can analyze the recycle bin and not so much about recovering the files. While there are tools such as rifiuti v1 (mcafee.com, n.d.) and WFA  (mitec.cz, n.d.) for analyzing Windows XP based on the INFO2 file, neither of these tools supports Windows 10.


Rifiuti2

Rifiuti2 is used for performing recycle bin analysis and can extract the file deletion time, original path and size of deleted files along with whether or not the files have been moved out from the Recycle bin  (abelcheung.github.io, n.d.).




Getting Help


From the Windows command line and within the folder containing the file “rifiuti-vista.exe” the help screen can be seen when “rifiuti-vista.exe” is executed.


Figure 14 below shows the help screen for “rifiuti-vista.exe” which is the executable used for Windows OSes Vista and greater.




Parsing the recycle bin
Using the information contained in Figure 14, one can parse the recycle bin. Parsing the recycle bin output to a .XML file requires identifying the SID which should be targeted under the “$Recycle.bin” folder as shown in figure 15 below.




The Output
Below shows the results being outputted in .XML format.
C:\Users\securiynik\Desktop\7z1505-x64.exe
C:\Users\securiynik\Desktop\winrar-x64-521.exe
C:\Users\securiynik\Desktop\AccessData Registry Viewer_1.8.1.2.exe
C:\Users\securiynik\Desktop\FTK Imager
C:\Users\securiynik\Desktop\OpenOffice 4.1.1 (en-US) Installation Files
C:\Users\securiynik\Desktop\Apache_OpenOffice_4.1.1_Win_x86_install_en-US.exe
C:\Users\securiynik\Desktop\Delete Me

Below shows the .xml file opened in a browser with the files within the recycle bin.

 

For those wanting to use a recycle bin analysis in Windows 10, the  Rifiuti2 does an excellent job.


References:


abelcheung.github.io. (n.d.). Rifiuti2 - Windows recycle bin analysis tool. Retrieved from abelcheung.github.io: https://abelcheung.github.io/rifiuti2/
mcafee.com. (n.d.). Rifiuti v1.0 - A recycle bin Forensic Analysis Tool. Retrieved from mcafee.com: http://www.mcafee.com/us/downloads/free-tools/rifiuti.aspx
mitec.cz. (n.d.). Windows File Analyzer - Tool for forensic file analysis. Retrieved from mitec.cz: http://www.mitec.cz/wfa.html