rifiuti2 - MS Windows recycle bin analysis tool
rifiuti or rifiuti-vista [-hv]
rifiuti [-x | [-n] [-t delim]]
[-z] [-l codepage] [-o outfile]
filename
rifiuti-vista [-x | [-n] [-t
delim]] [-z] [-o outfile]
file_or_directory
Rifiuti2 analyse recycle bin files from Windows. Analysis of
Windows recycle bin is usually carried out during Windows computer
forensics. Rifiuti2 can extract file deletion time, original path and size
of deleted files and whether the deleted files have been moved out from the
recycle bin since they are trashed.
Rifiuti2 supports a wide range of Windows versions, from Windows
95 to Windows 10. The command used for analysis depends on the version of
Windows producing the recycle bin (not the version of users'
system!), which uses vastly different format before and after
Vista:
- rifiuti-vista
- For Vista or later, which is located in
\$Recycle.bin\<SID>\. Each deleted
file has its own accompanied index file remembering the original
path, file size and deletion time. If original file is permanentsly
deleted, so is the index file.
- rifiuti
- For Windows 95 to XP/2003, which uses a single index file named INFO2
(98 or above) or INFO (95 and NT4) under either \RECYCLED\
(FAT 16/32) or \RECYCLER\<SID>\
(NTFS). This file keeps track record for deletion status and
info for all deleted items, including those
permanently removed or restored.
By default, both programs dump tab-delimited fields on screen,
which can be viewed on screen or imported into spreadsheet program.
-x option instructs program to dump XML formatted content
instead.
Since 0.7.0 version, rifiuti2 output is in UTF-8 encoding
only, including the case of writing file under Windows.
Index field has different meaning for pre-Vista and post-Vista
versions. INFO2 has an index number for each of deletion item indicating the
chronological order of items. For Vista version, it means the index file
name instead, which matches pattern
“$Ixxxxxx.<ext>”, where x is random
alphanumeric character, and <ext> matches the extension of
original deleted item.
Deleted time is represented in UTC time by default. Under
tab-delimited mode, date/time is presented in format recognized by
spreadsheet programs, while in XML mode ISO 8601 date/time format is used.
For example, 3PM at 2014 X'mas represented in these modes would be
respectively:
2014-12-25 15:00:00
2014-12-25T15:00:00Z
File size and file path are self-explanatory, but there are some
special issues to take care about. Refer to CAVEATS section below for
more detail.
- -o,
--output=FILE
- Write output to FILE.
- -x, --xml
- Output in XML format instead of tab-delimited values. With XML mode, all
plain text options are disallowed, and result is always in UTF-8 encoding.
See below for plain text options.
- -l,
--legacy-filename=CODEPAGE
- Show legacy filename if available (like
“D:\Progra~1\”), and specify the CODEPAGE used in
the Windows system producing this INFO2 file. Any encodings
supported by iconv(1) can be used, though for maximum
accuracy of file name results, it is better to stick with Microsoft
codepages (such as CP850 or CP1252 for west European version, CP932
for Japanese, etc).
Note: This option is mandatory if INFO2 file is
created by Windows 95, 98 or ME, since recycle bins under these OS don't
contain Unicode file name. This option does not exist in
rifiuti-vista.
- -z,
--localtime
- Present deletion time in numeric time zone of local system running the
program. By default, UTC time is displayed, which is the time value
recorded in index files. Using the X'mas example above, the time for
Berlin (without daylight saving time) would be 2014-12-25T16:00:00+0100
in ISO 8601 format.
Note: It is possible to use any timezone of users'
choice by setting $TZ environment variable, though not recommended.
See ENVIRONMENT VARIABLE section below.
- -t,
--delimiter=STRING
- String to use as delimiter (TAB by default). Other than normal characters,
several escape sequences are also recognised:
\r (carriage return)
\n (line feed)
\t (tab)
\e (escape)
- -n,
--no-heading
- Don't show recycle bin path name, metadata and field headers
- -8, --always-utf8
- (Option deprecated since 0.7.0 version)
- rifiuti-vista -x -z -o result.xml \case\S-1-2-3\
Scan for index files under \case\S-1-2-3\, adjust all
deletion time for local time zone, and write XML output to result.xml
- rifiuti-vista -n \case\S-1-2-3\
- Show tab-delimited result on screen without header and metadata
- rifiuti-vista -t '\r\n' \case\S-1-2-3\$IF96NJ3.rtf
- Only analyse a single index file and print each field in its own line
- rifiuti -t ',' -o result.csv INFO2
- Change tab-delimited result to comma-delimited and write to
result.csv
- rifiuti -l CP1255 -n INFO2
Assuming INFO2 from Hebrew version of Windows, display
8.3 file names without header and metadata
The following environment variables affect execution of
program:
- LANG /
LC_MESSAGES / LC_ALL / LANGUAGE
Listed in order of increasing importance, these variables
determine the translation to use. They belong to the group of locale
environment variables. In general, these variables are already properly set up
on Unix-like systems, while unused on Windows. Please consult relevant
document of user's operating system for more detail.
- LANG /
LC_CTYPE / LC_ALL
If recycle bin path contains non-ASCII character, these
variables affect how they are displayed, in a manner similar to translation
related variables described above. However it is not recommended to modify
them, as since 0.7.0 version rifiuti2 no more expects any environment using
non UTF-8 encoding.
- RIFIUTI_DEBUG
Setting it to any non-empty value would cause programs to
print more debugging output to stderr.
- TZ
If non-empty, indicate user-specified time zone when
-z option is used. Normally the time zone information is obtained from
system and there is no need to set this variable. However, it can be used as a
facility to temporarily override timezone for some programs, which can be used
for situations like constructing timeline event.
This value is OS dependent. For example, for timezone in Los
Angeles, the value for Windows is “PST8PDT”, while
corresponding value on Linux would be “America/Los_Angeles”.
Please consult manual for your operating system for more info.
Please see CAVEATS section below for problems when using
this variable.
Both programs return 0 on success, and greater than 0 if error
occurs.
In particular, rifiuti-vista would exit with the latest
non-zero status when error is encountered in any of the
index files.
- 1
- Wrong command line argument
- 2
- Error when opening file or directory
- 3
- Recycle bin data fails basic validation
- 4
- Error when writing output to file
- 5
- User supplied wrong encoding for legacy path
Rifiuti2 is a rewrite of rifiuti, a tool of
identical purpose written by Foundstone which was later purchased by McAfee.
Quoting from the original FoundStone page:
Many computer crime investigations require the
reconstruction of a subject's Recycle Bin. Since this analysis technique is
executed regularly, we researched the structure of the data found in the
Recycle Bin repository files (INFO2 files). Rifiuti, the Italian word meaning
"trash", was developed to examine the contents of the INFO2 file in
the Recycle Bin. ... Rifiuti is built to work on multiple platforms and will
execute on Windows (through Cygwin), Mac OS X, Linux, and *BSD
platforms.
However, since the original rifiuti (last updated 2004) can't
analyze recycle bin from any localized version of Windows (restricted to
English), this rewrite effort is born to overcome the limitation. Later
rifiuti2 was improved to add support for Vista format recycle bin, XML
output and other extra features not available from original version.
In very special circumstance (which author can't reproduce now),
index file of certain deleted item can be corrupt, causing incorrect deleted
file size to be stored. There is no way to report correct size. This problem
was only observed in Vista though, not any other versions of Window.
Non-ASCII deleted item path name may not be always displayed
appropriately on console. Although great care is taken to display path name
as much as possible (resorting to escaped hex <\XX> or
escaped unicode <\uXXXX> in case of invalid or invisible
characters), the font used in console might not be able to display all
characters needed. Dumping result into file and open with UTF-8 capable text
editor is an option.
It is always better to use UTC time whenever possible, because
calculation of local time might not be correct, especially for non-US users.
Documentation of _tzset() function on Windows has this
statement:
The C run-time library assumes the United States' rules
for implementing the calculation of daylight saving time (DST).
Since the difference between standard time and DST is hardcoded to be one hour
(which is incorrect for a few selected regions), the file deletion time might
not be correct for these regions when DST is in effect.
File size can mean the real size of deleted file, or the cluster
size it occupies on filesystem, depending on recycle bin format. As a rule
of thumb, if all sizes of entries are multiples of 512, it can be assumed
the concerned sizes refer to cluster size.
Report bugs to
- https://github.com/abelcheung/rifiuti2/issues
Information about rifiuti2 can be found on
- https://abelcheung.github.io/rifiuti2/
Part of the work of rifiuti2 is derived from Rifiuti. Both pieces
of software are licensed under the simplified BSD license.
The main author of rifiuti2 is Abel Cheung
<abelcheung@gmail.com>
The original author of rifiuti is Keith J. Jones
<keith.jones@foundstone.com>
Anthony Wong <ypwong@debian.org> helped in Debian
packaging and was author of the original manpage.