Recycle Bin

File Location:

Every user will have their own recycle bin.

RBCmd.exe -d F:\Tools\investigation\logs\ --csv F:\Tools\investigation\logs\logs1

Parses meta data file and outputs metadata.

Contains 2 different files. ($I $R, and 6 random characters after)
- $I1RBNY7.png < Metadata file
- $R1RBNY7.png < Actual deleted file

Delete files with SDelete.
Permanant deletion will not place file into recycle bin, it will just update MFT, USNJrnl, $I30, $Bitmap, etc.
File carving is recovering file from sequences when there is no metadata record that exists (MFT,etc).

Last updated 1 year ago