Skip Nav
The 4N6 Post
Recycling.Bin / Recycler

 

The Hidden Forensics of the Windows Recycling Bin: Understanding the I and R Numbers and How They Work


The Recycling Bin is a well-known feature in Windows operating systems that acts as a temporary storage location for deleted files. However, what many users may not know is that the Recycling Bin is also a valuable forensic artifact that can provide valuable information in both normal and malicious use cases. In this blog post, we will explore the Recycling Bin and its role as a forensic artifact, including the connection between the "$I" and "$R" values created in the Master File Table (MFT), the normal and malicious use cases of the Recycling Bin, and how to permanently delete files to skip the Recycling Bin, as well as how to set the Recycling Bin in the registry.





File System Bin

In the example below, I deleted a PNG file. The file was moved over to the $Recycle.Bin folder under the appropriate SID S-1-5-21-*. You can see that both a "$IN2BBNL.png" and "$RIN2BBNL.png" are the most recently created. The $R####### file will continue to hold the metadata of the original file as this file IS the original file renamed and moved. The $I####### file is newly created as an Index file for the file to hold the original filename, path, file size, and when the file was deleted in the event recovery of the file is requested. 

This file for reference 

Additionally you can see the $I30 was also updated. This in short tracks the files that was or is in the folder. I don't intend to elaborate on it in this post.
Once a file is recovered, the $I####### file does remain, however the $R####### file is relocated back to it's appropriate location and will not continue to reside in the Recycle.Bin. As seen in the following image.

$I####### - IndexFile Format

UInt8 (Bytes)

0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, // Header (0x02 of 8 Byte)

0xFA, 0xB3, 0x33, 0x00, 0x00, 0x00, 0x00, 0x00, // Size (Bytes - 3,388,410

0xC0, 0x0D, 0xEF, 0x6D, 0x3C, 30xB, 0xD9, 0x01, // Deletion Date (64-Bit)

0x3E, 0x00, 0x00, 0x00,                         // String Path Length (62)

                        0x43, 0x00, 0x3A, 0x00, // <String Path> + 3x Bytes of 0x00

0x~~                                            // The Remaining Path

File Size Header

You can see in the image below the file size in bytes which is represented in Little Endian on the second set of 8 Bytes.



Date Header




MFT 

    The $I and $R numbers associated with files in the Recycling Bin are determined by the Master File Table (MFT) in the Windows operating system. The MFT is a database that contains information about every file and folder on the system, including the location of each file on the hard drive and metadata such as the date and time the file was created, modified, and accessed.


    When a file is deleted in Windows, the information about the file is not immediately removed from the MFT. Instead, the file's entry in the MFT is marked as "deleted" and the space occupied by the file on the hard drive is made available for re-use. However, the information about the file remains in the MFT, allowing it to be recovered if necessary.


    The $I and $R numbers associated with a file in the Recycling Bin are generated by the operating system to help identify the file in the MFT. The $I number is a unique identifier assigned to each file by the operating system, and the $R number is used to indicate that the file has been "recycled" and is now in the Recycling Bin. The combination of the $I and $R numbers allows the operating system to quickly and easily identify the file in the MFT and manage it as a deleted file in the Recycling Bin.


    In a normal use case, the Recycling Bin serves as a safety mechanism to allow users to recover accidentally deleted files. If a file is recovered from the Recycling Bin, its "$I" value will remain while the "$R" file will be moved and renamed back to it's original position.


    However, the Recycling Bin can also be used maliciously by attackers to stage files prior to extraction. For example, an attacker may copy sensitive files to the Recycling Bin in order to avoid detection by security tools, and then extract the files at a later time. In such cases, the Recycling Bin can serve as a valuable source of evidence for forensic investigators, as it can reveal the presence of malicious files that may have been deleted in an attempt to cover up the attacker's tracks.


    To permanently delete files and skip the Recycling Bin, use the "Shift + Delete" keyboard shortcut. This will bypass the Recycling Bin and permanently delete the file from the file system, leaving no trace of its existence in the Recycling Bin. This is useful for users who want to ensure that sensitive or confidential information is completely removed from their systems.


Registry

    The Recycling Bin can also be set in the registry, allowing users to change its behavior. For example, users can increase the size of the Recycling Bin, change the number of days that files are kept in the Recycling Bin before being automatically deleted, or disable the Recycling Bin altogether.

 To change the Recycling Bin in the registry, users can navigate to the following key: 


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket


    From there, they can modify the values for "Volume" "MaxCapacity" to change the size of the Recycling Bin, or "NukeOnDelete" to disable the Recycling Bin altogether. If the "NukeOnDelete" is set to a 1, this will instantly delete instead of recycle.





MaxCapacity // 0x0000c246 (BigEndian) // 49,734 MB


    The volume/VolumeGUID of the Recycling Bin in BitBucket is calculated in MegaBytes (MB). The amount of space allocated to the Recycling Bin for each drive is determined by the value of the "Volume" "MaxCapacity" registry key.  When the Recycling Bin reaches its maximum size, it will begin to automatically delete the oldest files to free up space for new deleted files.


    For example, if the "Volume" "MaxCapacity" registry key for a drive has a value of 1048576 (1 MB), the Recycling Bin for that drive will have a maximum size of 1 MB. As the Recycling Bin fills up with deleted files, it will automatically delete the oldest files until its size is below 1 MB.


    It's important to note that the value of the "Volume" "MaxCapacity" registry key can be adjusted to change the maximum size of the Recycling Bin. By increasing the value of the "Volume" "MaxCapacity" registry key, users can allocate more space to the Recycling Bin, allowing it to store more deleted files. Conversely, by decreasing the value of the "Volume" "MaxCapacity" registry key, users can reduce the size of the Recycling Bin and limit the amount of space it uses.


Conclusion

    In conclusion, the Recycling Bin is an important forensic artifact in the Windows operating system that plays a critical role in file recovery and management. When a file is deleted in Windows, it is not immediately erased from the system, but rather moved to the Recycling Bin, where it can be easily recovered if necessary. The Master File Table (MFT) is used to store information about every file and folder on the system, including the $I and $R numbers associated with each file in the Recycling Bin. These numbers help the operating system to identify and manage deleted files, and allow users to quickly recover files if needed. The Recycling Bin can be adjusted in size through the "Volume" "MaxCapacity" registry key, and files can be permanently deleted by using the Shift + Delete key combination. Understanding the Recycling Bin and how it works is important for anyone working with the Windows operating system, as it can provide valuable information in both normal use cases and malicious scenarios.


https://www.sans.org/posters/windows-forensic-analysis/


Additional Sources:

Windows Forensics: analysis of Recycle bin artifacts: https://andreafortuna.org/
Windows Recycle Information: https://stackoverflow.com

Post a Comment

Post a Comment