By Alex Parsons & Zachary Reichert
Introduction
One of the most fundamental forensic artifacts in an investigation is the recycle bin. When crimes are committed on computers, one of the first locations to check for evidence is almost always in the Recycle Bin. As a result, we will focus on analyzing the recycling bin in Windows 10 for the first blog post.
For this analysis we took two near identical VMs running Windows 8.1 and Windows 10, and generated data for the recycle bin. Both VMs are logged in to two separate Microsoft accounts, and are on the latest Windows updates as of March 2nd, 2015. Office is also installed on both VMs.
Data Gen
The following data gen tasks were run on March 2, 2015:
| User Action | Windows 8.1 Timestamp | Windows 10 Timestamp |
| Create Doc1.docx in Documents folder | 19:06 | 19:08 |
| Create Pres1.pptx Documents folder | 19:08 | 19:09 |
| Create Cloud Doc1.docx in Onedrive\Documents | 19:11 | 19:14 |
| Create Cloud Pres1.pptx in Onedrive\Documents | 19:16 | 19:15 |
| Create folder “Deleted Folder” in Documents | 19:16 | 19:20 |
| Create “Folder Doc 1.docx” in Deleted folder | 19:17 | 19:20 |
| Create “Folder Pres1.pptx” in Deleted folder | 19:19 | 19:21 |
| Delete Doc1 and Pres1 individually | 19:23 | 19:22 |
| Delete “Deleted Folder” | 19:24 | 19:24 |
| Delete “Cloud Doc1.docx” & “Cloud Pres1.docx” in OneDrive\Documents | 19:25 | 19:25 |
Recycle Bin Analysis
Since Windows 7, Recycle bin artifacts for each user are found in the following location:
DRIVE:\$RECYCLE.BIN\SID
For each file that is deleted, one pair of files are placed in the recycle bin. One file starts with the file name of $I and one that starts with $R. Both end in the same 6 random characters and the original extension. A screen shot is shown below in FTK Imager
The $I format contains metadata including the File Size, Deleted time and the File Path
The $R file contains the deleted file itself.
The $I file is formatted in the following manner in Windows 8.1:
| Windows 8.1 $I Recycle Bin Format | ||
| Offset | Length in bytes | Description |
| 0 | 8 | Begins with 01 |
| 8 | 8 | File Size in bytes |
| 16 | 8 | Deleted Time (In 64 bit Windows timestamp format) |
| 24 | 520 | File path |
In Windows 10, the contents are still split into these $I and $R files but the organization of the $I files are slightly different.
Windows 8.1
Below are screenshots of a $I file in Windows 8.1 on FTK Imager. As you can see, the offsets match up with the table shown above. The hex is parsed and converted according to the table as well.
Windows 10
Below is a screenshot of a $I file in Windows 10 in FTK Imager. As you can see, the first offset of the value is 8 bytes long, but it starts with a value of 02. There is then the 8 bytes related to the file size, followed by the deleted time which matches the data generation sheet. There is then an unknown 4 byte value at offset 24 which will be analyzed further below.
Finally, the rest of the file is no longer 520 bytes and is instead based off the file name as seen below. It appears that the end of this file is marked by three bytes of contiguous zeros.
| Windows 10 $I Recycle Bin Format | ||
| Offset | Length in bytes | Description |
| 0* | 8 | Ends in 02 |
| 8 | 8 | File Size in bytes |
| 16 | 8 | Deleted Time (In 64 bit Windows timestamp format) |
| 24* | 4 | Unknown |
| 28* | Dependent upon file path length | File path |
| * = Changed in Windows 10 | ||
Differences
Differences between Windows 8 and 10 are detailed in the table below; minor changes are found in Offsets 0, 24 and 28.
| Windows 8.1 | Windows 10 |
| Offset 0 begins with 01 | Offset 0 begins with 02 |
| File path is at offset 24 | File path begins at offset 28Offset 24 is 4 bytes of unknown characters |
| File Path is 520 bytes | File path size is dependent upon file path length |
Analyzing Offset 24 in Windows 10
After further investigation, the team worked on identifying the purpose of Offset 24. When analyzing we discovered a pattern that seemed to indicate that Offset 24 is incremental in the order that the files were deleted. Not all values were strictly contiguous though so there should be more research into what this offset does exactly. Below is a table which lists the values of Offset 24 for each $I file.
| Deleted Timestamp | File Name | Hex Value (Offset 0x24) | Decimal Value (Offset 24) |
| 19:22:18 | Doc1.docx | 0x25 | 37 |
| 19:22:20 | Pres1.pptx | 0x26 | 38 |
| 19:24:05 | Deleted Folder | 0x2A | 42 |
| 19:25:25 | Cloud Doc1.docx | 0x34 | 52 |
| 19:25:27 | Cloud Pres1.pptx | 0x35 | 53 |
Conclusion
Although the changes are minor, they are significant for tools that rely on the first offset for analyzing the recycling bin. Rifiuti2 for example will not work with the Windows 10 recycling files, and Encase does not parse the data correctly. Work needs to be done to make these tools compatible.