Rifiuti2 – Windows Recycle Bin Analysis Tool

Rifiuti2 analyse recycle bin files from Windows. Analysis of Windows recycle bin is usually carried out during Windows computer forensics. Rifiuti2 can extract file deletion time, original path and size of deleted files. For more ancient versions of Windows, it can also check whether deleted items were not in recycle bin anymore (that is, either restored or permanently purged).

Rifiuti2 - Windows Recycle Bin Analysis Tool
Rifiuti2 – Windows Recycle Bin Analysis Tool

It is a rewrite of rifiuti, which is originally written by FoundStone folks for identical purpose. Then it was extended to cover more functionalities, such as:

  • Handles oldest (Win95) to newest (Win 10 and Server 2019) recycle bin format
    • Windows 95 – 2003 uses a single index file named INFO or INFO2
    • Vista or above uses one index file for each deleted item
  • 64-bit file size support
  • Supports all localized versions of Windows — both Unicode-based ones and legacy ones (using ANSI code page)
  • Supports output in XML format as well as original tab-delimited text
  • Obscure features such as recycle bin on network share (\\server\share_name)

New features included with the latest release 0.7.0 are:

  • Support recycle bin from jurassic Windows: 95, NT4, ME
  • Verified to work for recycle bin on network shared folder using UNC path (such thing is rare but does exist)
  • Display timezone in tab-delimited output header
  • Guess Windows version based on recycle bin artifacts
  • Distributed Windows binaries:
    • Copes better with Windows ACL, detecting folder with insufficient permissions
    • Attempts to detect Windows locale setting and automatically determine translation to use

You can read more and download this tool over here: https://github.com/abelcheung/rifiuti2

Notify of
Inline Feedbacks
View all comments