Recycle Bins

Recylce Bins

When a file is moved to a trash bin it is not deleted. It still exists on the system and can easily be recovered! Also, even when the recycle bin is emptied the file is not actually deleted and we can recover it.

The Windows Recycle bin does have a limit on what can be contained within it. If the recycle bin becomes full it will automatically delete older files. The size of the recycle bin depends on Windows version and any user quota. As you have probably experiences, Windows will not store large files in the recycle bin.

Location

A hidden file is used to hold the orignal names and path of the deleted file. When the recycle bin has been emptied this information is removed from the file. Depending on the filesystem and version of Windows used the location will differ. This will also contain a unique user identifier appended to the location.

FAT: C:\RECYCLED
NTFS: C:\RECYCLER

Naming differences in on purpose to avoid confusion between filesystem types. By default these folders are hidden, but you can unhide them if you wish.

In more recent versions (Windows 10 and newer) of Windows this location has changed to being a directory "$Recycle.Bin" at the root of each drive. This will also contain a unique user identifier appneded to the location.

Accessing using PowerShell

Using PowerShell you can access the Recycling Bin directory. Recall, this is a hidden directory. To view a listing of all directories use the following command:

dir -Hidden

You will then see a directory called $RECYCLE.BIN you can switch to this directory, but you must enclose the entire path within single quotes as follows:

cd 'C:$Recycle.Bin'

Contents of $Recycle.Bin

Inside the $Recycle.Bin directory each user account has a unique directory. It is possible to access it, but we first need to figure out the the username and the associated SID (Security Identifier).

PowerShell Command: wmic useraccount get name,sid

What are $I and $R Files?

These files are associated with the recycle bin in Windows. They are used to help manage an store information about deleted files.

$I files stores metadata
$R files store the files content

You can actually open and view the contents of $I files. $I files have a known structure:

Header (1 byte)
File Size (1 byte)
Deleted Timestamp (1 byte)
File Name Lenght (4 bits)
File Name (variable)

In Windows 10 and later the header field is set to 0x02 and in earlier version it will be set to 0x01.

Opening an $I File

Before we can open an $I file we need to change to a users directory. This can be done using the cd command. Once inside the directory list all the files using dir. Notice the listing of files and ones beginging with $I. You can view a file by issuing the following command:

notepad <file name>

This will open the file in notepad for your viewing. You can also use the $I Parse Utility.

Details about $R Files

Files that start with $R (and you can see a few in the above image) are Recycle Bin data files. As previously mention they store the file contents and maintain the same file extension. When a user removes a file from the Recycle Bin (decides not to delete it) the $I and $R files are used to restore the file to the orginal locaiton.

What happens when the Bin is Emptied?

When the recycle bin is emptied all $I and $R files are removed along with the files to be deleted. Let us look at this process in a bit more detail:

User decides to delete several files. They drag them to the Recycle Bin. The required $I and $R files are created.
User empties the Recycle Bin. All the $I and $R files are delete from the Recycle Bin. Also, the original file to be deleted is removed from the system.
Space occupided by those files is now free and can be used by the file system to store files.

Google Sites

Report abuse