Phill recently posted regarding some testing that he’d conducted, with respect to tools for parsing Windows Recycle Bin files. From Phill’s blog post, and follow-on exchanges via Twitter, it seems that Phill tested the following tools (I’m assuming these are the versions tested):
– Jason Hale’s $I Parse – blog posts here and here
– Dan Mare’s RECYCLED_I app – the main software page states “RECYCLED_I: Program to parse the $I files extracted via a forensic software package. Special request.”, but you can download it (and get syntax/usage) from here.
– My own recbin.pl/.exe
What I was able to determine after the fact is that the “needs” of a parsing tool were:
– parse Recycle Bin files from XP/2003 systems (INFO2), as well as Win7 & Win10 ($I*)
– for Win7/10, be able to parse all $I* files in a folder.
The results from the testing were (summarized):
– Some tools didn’t do everything; some don’t parse both XP- and Win7-style Recycle Bin files, and the initial versions of the tool I wrote parsed but did not display file sizes (it does now)
– The tool I wrote can optionally display tabular, CSV, and TLN output
– Eric’s RBCmd parses all file types, including directories of $I* files; from the tweet thread, it appears that RBCmd displays tabular and CSV output
– rifiuit2 was the fastest
So, if you’re looking to parse Recycle Bin index files (either INFO2 or $I* format)…there you go.
$I* File Structures
As Jason Hale pointed out over 2 1/2 years ago, the $I* file structure changed between Win7 and Win10. Most of the values are in the same location (the version number…the first four bytes…were updated from 1 to 2), but where Win7 had a fixed length field that included the name and original path (in Unicode) of the file, Win10 and Win2016 have a four byte name length field, followed by the file path and name, in Unicode.