Rifiuti2 : Windows Recycle Bin Analyser

Rifiuti2 is a for analyzing Windows Recycle Bin INFO2 file. Analysis of Windows Recycle Bin is usually carried out during Windows computer forensics.

Rifiuti2 can extract file deletion time, original path and size of deleted files and whether the trashed files have been permanently removed.

Special Note For 0.7.0

• Windows binaries will be automatically built from Appveyor and published to Github.
• Systems supporting UTF-8 encoding is mandatory, except on Windows console (file output is also in UTF-8). This shouldn’t be problematic though, as UTF-8 locale is pretty much standard for Linux and macOS these years. On Windows front, there are already many featureful text editors capable of opening UTF-8 unicode text files.
• As a result, -8 option is obsolete and no more affects output in any way.

Also Read – Rock-ON : All In One Recon Tool That Will Just Get A Single Entry Of The Domain Name & Do All Of The Work Alone

Usage

It is designed to be portable, and runs on command line environment. Depending on relevant Windows recycle bin format, there are 2 binaries to choose from (most users would want first one):

Program	Recycle bin from OS	Purpose
rifiuti-vista	Vista – Win10	Scans \$Recycle.bin style folder
rifiuti	Win95 – XP/2003	Reads INFO or INFO2 file in \RECYCLED or \RECYCLER folder

Run programs without any option for more detail. Here are some more frequently used options:

Option	Purpose
-o <FILE>	Output to file
-x	Output XML instead of tab-separated fields
-l <CP>	Display legacy (8.3) filenames and specify its codepage

Please consult manpage (Unix) or README.html (bundled with Windows binaries) for complete options and detailed usage description.

Examples

rifiuti-vista.exe -x -z -o result.xml \case\S-1-2-3\

Scan for index files under \case\S-1-2-3\, adjust all deletion time for local time zone, and write XML output to result.xml

rifiuti -l CP932 -t “\n” INFO2

Assume INFO2 file is generated from Japanese Windows (codepage 932), and display each field line by line, instead of separated by tab

Supported Platform

It has been tested on Linux, Windows 7 and FreeBSD. Some testing on big endian platforms are done with Qemu emulator. More compatibility fix for other architectures welcome.

Download

Windows

Windows binaries are officially provided on Github release page.

Note that 0.6.1 version is the last version that can run on Windows XP and 2003; upcoming versions would require Vista or above.

Linux

• DEB packages available officially on Debian and Ubuntu, hence also available on most (if not all) derivatives focusing on security and forensics, such as (this is incomplete list):
  • Kali Linux
  • Deft X Virtual Appliance
  • BackBox Linux
• RPM packages from Linux Forensics Tools Repository (LiFTeR) can be used on Fedora, and very likely CentOS and RHEL.
• ArchStrike (formerly ArchAssault), a penetration testing derivative of Arch Linux, has rifiuti2 packaged since late 2014.

Others (Compile from source)

For OS where rifiuti2 is not readily available, it is always possible to compile from source.

rifiuti2 follows the usual autotools based procedure:

./configure && make check && make install