top of page

Analyzing Recycle Bin Metadata with RBCmd and $I_Parse

Feb 14, 20242 min read

Updated: Jan 31

When investigating deleted files on a Windows system, analyzing the Recycle Bin metadata can provide crucial insights. In this guide, we’ll look at how to use Eric Zimmerman’s RBCmd.exe and another tool called $I_Parse.exe to extract and analyze deleted file information.


Understanding Recycle Bin Metadata

Windows keeps metadata for deleted files in different formats depending on the version of the operating system:


  • INFO2 files (used in Windows XP)

  • $I files (used in Windows Vista and later)


These metadata files store details such as:

  • Original file name

  • Path before deletion

  • Deletion timestamp

  • File size


Using RBCmd.exe for Analysis

RBCmd.exe is a command-line utility created by Eric Zimmerman that can parse Recycle Bin metadata from both XP and modern Windows systems.


Parsing a Single File

To analyze a specific $I file, run the following command:

RBCmd.exe -f "C:\$Recycle.Bin\S-1-5-21-1094574232-2158178848-303877012-1001\$IZZOXEO.pdf"

Parsing an Entire Directory

If you need to analyze all $I files in a folder, use the -d option:


RBCmd.exe -d "C:\$Recycle.Bin\S-1-5-21-1094574232-2158178848-303877012-1001" --csv C:\Users\Akash's\Downloads


This will parse all $I files in the specified directory and save the results in a CSV file.


Output:


------------------------------------------------------------------------------------------------------------

Collecting Recycle Bin Artifacts with KAPE

KAPE (Kroll Artifact Parser and Extractor) is a powerful tool that can collect forensic artifacts, including Recycle Bin metadata files.


Steps to Collect Recycle Bin Artifacts Using KAPE:

  1. Open KAPE.

  2. Select the Target Module for Recycle Bin collection.

  3. Specify the output folder where the extracted files should be saved.

  4. Run KAPE


Once collected, you can use RBCmd.exe or $I_Parse.exe to analyze the extracted data.

Using $I_Parse.exe

Another useful tool for parsing Recycle Bin metadata is $I_Parse.exe. While its usage is similar to RBCmd, it provides an alternative way to extract and analyze metadata from deleted files.


Example


Tool is very simple to use mention directory where you collected artifact and destination and click parse.


Output:

Conclusion

Analyzing Recycle Bin metadata is a crucial step in digital forensics. Using RBCmd.exe and $I_Parse.exe, you can quickly extract valuable information about deleted files. Additionally, KAPE simplifies the collection of these artifacts, making your forensic workflow more efficient.

-----------------------------------------------Dean-------------------------------------------------



56 views0 comments

Recent Posts

See All

Comments

bottom of page