Commands: Locate Recycle Bin in cmd
View hidden files: Use the command DIR /ah to display hidden files, including those in the recycle bin.
Get user account information: Use wmic useraccount get name,sid to retrieve information about all user accounts and their corresponding SID (Security Identifier) IDs.
Navigate to a specific SID: Move to a particular SID value using the command cd SID, where SID represents the Security Identifier of the user whose recycle bin is being analyzed.
Once you are in SID directory.
Copy the artifact using below command
copy "C:\$Recycle.Bin\<S-1-5-21>\*" C:\Users\User\Downloads\recycle"
Do same for All SID users recycle bin. Take it Home for further analyses.
Tool:
Tool is very simple to use mention directory where you collected artifact and destination and click parse.
Conclusion:
Understanding the structure and contents of the recycle bin, along with effective parsing techniques, enables forensic analysts to reconstruct file deletion events, recover deleted files, and gain insights into user activities and behavior on the Windows system.
Comments