$Recycle.Bin Forensics: Analysis of $I (metadata file) and $R (actual content)
Forensic Insight into Windows 10 $Recycle.Bin In Windows 10, the deleted files are temporarily located in "C:\$Recycle.Bin>", a sub directory under root directory. The completion of file deletion process yields two separate files placed within the $Recycle.Bin path, as follows: $I – Contains metadata specific to the deleted file (original file name path, file size, deletion timestamp, file name size and, file name). $R – Contains the actual contents of the file. The two files ($I and $R) corresponding to the deleted file are named/suffixed with a random six character value after $I and $R, resulting into a 8–character file name. The system creates SID based folders corresponding to each user account. In the SID sub-folder, you will find the SID of the user who deleted the file. Each time a user deletes a file from the Recycle Bin, a sub-folder is created for them. As per the requirement an analyst can analyse the contents inside the SID sub-folders. Let’s