This is a long overdue post about Windows 8.1 & Windows 10 Recycle Bin. This post along with few others that I’ve researched on has been in the drafts for quite a period of time as I was busy with EnCE prep and I will try to post them this weekend.
So, in my previous post I’ve explained the architecture of Recycle Bin, Naming Convention in versions of Windows XP/Vista/Win 7 and then briefed on INFO2, $I, $R and $I30 files.
This post is a result of preliminary analysis on Windows 8.1 & Windows 10 Recycle Bins from a forensic point of view, and comparing the results with the previously analyzed Recycle Bin of Windows 7. For my research, I’ve installed Win 8.1 and Win 10 on two VMs and sent few files to Recycle Bin them to generate data for
analysis.Contrary to the expectation of changes in Recycle Bin artifacts due to large number of upgraded features in Windows 8.1 or 10, there were no significant differences observed in the deletion artifacts or structure of the recycle bin. We still find the $Recycle.Bin, $R and $I files in Win 8.1 and Win 10.
A quick recap from the previous post tells us that in Windows 7 for each file that is deleted, a pair of files are created in Recycle Bin, the $I and $R files. Both the files end in the same 6 random characters and the original extension of the file that is deleted. The $I file contains metadata including the file size, deletion time and the original file path. Whereas the $R file is the deleted file itself and $I30 file is a Windows NTFS Index Attribute that can assist in identifying deleted files. We’ve also learnt that each user account has its own Recycle Bin for each volume on the OS, located by default at DRIVE:\$Recycle.Bin\SID. If it is a system partition it is displayed as $Recycle.Bin and for non-system partitions it is represented as $RECYCLE.BIN, unsure of the reason for this change.
Initial observations on Windows 8.1 and Windows 10 shows that no notable differences are seen when compared with Windows 7. Recycle Bin is still found at DRIVE:\$Recycle.Bin\SID, however a slight change in the last octet that denotes the file path in Windows 8.1 and the few format changes of Windows 10 Recycle Bin have been noticed. For analysis, the following tasks have been performed on Windows 8.1 and Windows 10. I’ve created two files, ‘Test.pdf’ of size 2645 KB & ‘Analysis.pptx’ of size 1227 KB inside folder titled 4n6 which resides on the Desktop, then deleted these two files simultaneously.
Analysis of Windows 8.1 Recycle Bin
Below is a FTK Imager screenshot of $I file of the deleted ‘Test.pdf’ from Windows 8.1.
- Offset 0-7: The first 8 bytes, are still header of the $I file, and as in Win 7 the first offset is 01 followed by seven sets of 00.
2. Offset 8-15: The following 8 bytes represents the file size in bytes. For conversion of hex to decimal read my previous post ‘Once Upon A Time In Recycle Bin’.
3. Offset 16-23: The next 8 bytes denotes the file deletion time and I’ve explained in my previous post on how to decode this hex value to user readable format.
4. Offset 24-543: Unlike Windows 7 or Windows 10, this part isn’t any more dependable on the original file path/name. It is always 520 bytes in length starting from FO24.
Analysis of Windows 10 Recycle Bin
Below is a FTK Imager screenshot of $I file of the deleted ‘Test.pdf’ file on Windows 10.
1. Offset 0-7: The first 8 bytes are header of $I. Unlike the previous versions; it starts with a value of 02.
2. Offset 8-15:The following 8 bytes are related to the file size, and denotes the file size in bytes.
3. Offset 16-23:Then the next 8 bytes denotes the deleted time of the file.
4. Offset 24-27: The next bytes come as a surprise, they neither represent any file metadata nor any deletion attribute. The hex value differs from file to file. Any comments or information on these offset are welcome and would be appreciated.
5. Offset 28- Variable: At the end, the full path along with the original filename is represented. Like in Windows 7, this value is dynamic and it runs from offset 28 to the length of the file path and name, whereas in Windows 8 this is always 520 bytes long irrespective of the file path.
The end of the file is marked by three bytes of contiguous zeros.
Brief overview on the delete file offsets from the three Windows operating systems
If not major, slight minor changes in the structure of Recycle Bin have been observed, the differences amongst Windows 7, 8 and 10 are represented in the table below