> For the complete documentation index, see [llms.txt](https://wongkenny240.gitbook.io/computerforensics/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://wongkenny240.gitbook.io/computerforensics/incident-response-artifacts/recycle-bin.md). # Recycle Bin ![Recycle bin behavior between Windows XP, 2003 (Upper) and Windows Vista, 7 (Below)](/files/-MhN7mY6BGfLe-zbNLSs) ## \Recycler (Before Vista) When a file is placed into the Recycle Bin, Windows renames it using the following convention: ``` D . ``` * D is a fixed character and will always be present. * refers to the volume from which the file was deleted. * references a count of the number of deleted files currently tracked by the Recycle Bin. This value increments with each deleted file or folder, and is cleared when the Recycle Bin is emptied and the system rebooted. * matches the original extension of the file. Each time a new file is added to the Recycle Bin, its associated metadata is stored in a hidden file named \Recycler\INFO2. The INFO2 file tracks the following information for each file currently stored in the Recycle Bin: * Physical (not logical) file size * Date and time of deletion (stored in UTC) * Original file name and path ### Folder Windows will create a directory named \Recycler \DC#\\, where # is the current Recycle Bin index value. The original directory’s contents will be moved into this new path, but will retain their original file names and will not be tracked in the INFO2 file. ## $Recycle.Bin (Vista and After) The operating system creates two files each time a file is placed in the Recycle Bin: ``` * \$Recycle.Bin\\$I. * \$Recycle.Bin\\$R. ``` * is a six-character identifier generated for each file placed in the Recycle Bin. * **$R** file is a renamed copy of the “deleted” file, similar to the **DC# file**. * The **$I file** takes the place of **INFO2** as the source of accompanying metadata * $I file contains the **original name, path, and date and time deleted** for its associated $R file. ## NukeOnDelete ``` Microsoft\Windows\CurrentVersion\Explorer\BitBucket ``` Adding the NukeOnDelete value and setting it to 1 effectively disables the Recycle Bin, as deleted files will bypass the Recycle Bin. On Windows XP and 2003 systems, the BitBucket key is located in the Software hive file, so the setting applied to all users on the system. On Vista and Windows 7, the BitBucket key moved into the user’s hive file (NTUSER.DAT) in the following path: ``` Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{GUID} ``` ![Bypass recycle bin setting](/files/-MjDJsxu0rRpfS7x7Nnv) ## Using an EnCase Evidence Processor to Determine the Status of Recycle Bin Files * Windows Artifact Parser ![EnCase Evidence Processor](/files/-MjDL3p5JzFXCwmiwhZb) ![Select Recycle Bin Files](/files/-MjDLAB_UNRz8HkJ9diS) * After you run the EnCase Evidence Processor, you can review the results of this module by running the Case Analyzer from the EnScript menu ![](/files/-MjDLLxDmkq3Zr_gBAuE) --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://wongkenny240.gitbook.io/computerforensics/incident-response-artifacts/recycle-bin.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.