FreeBSD Manual Pages
RIFIUTI2(1) MS Windows recycle bin analysis tool RIFIUTI2(1) NAME rifiuti2 - MS Windows recycle bin analysis tool SYNOPSIS rifiuti or rifiuti-vista [-hv] rifiuti [-x | [-n] [-t delim]] [-z] [-l codepage] [-o outfile] filename rifiuti-vista [-x | [-n] [-t delim]] [-z] [-o outfile] file_or_direc- tory DESCRIPTION Rifiuti2 analyse recycle bin files from Windows. Analysis of Windows recycle bin is usually carried out during Windows computer forensics. Rifiuti2 can extract file deletion time, original path and size of deleted files and whether the deleted files have been moved out from the recycle bin since they are trashed. Rifiuti2 supports a wide range of Windows versions, from Windows 95 to Windows 10. The command used for analysis depends on the version of Windows producing the recycle bin (not the version of users' system!), which uses vastly different format before and after Vista: rifiuti-vista For Vista or later, which is located in \$Recycle.bin\<SID>\. Each deleted file has its own accompanied index file remembering the original path, file size and deletion time. If original file is permanentsly deleted, so is the index file. rifiuti For Windows 95 to XP/2003, which uses a single index file named INFO2 (98 or above) or INFO (95 and NT4) under either \RECYCLED\ (FAT 16/32) or \RECYCLER\<SID>\ (NTFS). This file keeps track record for deletion status and info for all deleted items, in- cluding those permanently removed or restored. By default, both programs dump tab-delimited fields on screen, which can be viewed on screen or imported into spreadsheet program. -x option instructs program to dump XML formatted content instead. Since 0.7.0 version, rifiuti2 output is in UTF-8 encoding only, includ- ing the case of writing file under Windows. Index field has different meaning for pre-Vista and post-Vista ver- sions. INFO2 has an index number for each of deletion item indicating the chronological order of items. For Vista version, it means the index file name instead, which matches pattern "$Ixxxxxx.<ext>", where x is random alphanumeric character, and <ext> matches the extension of orig- inal deleted item. Deleted time is represented in UTC time by default. Under tab-delimited mode, date/time is presented in format recognized by spreadsheet pro- grams, while in XML mode ISO 8601 date/time format is used. For exam- ple, 3PM at 2014 X'mas represented in these modes would be respective- ly: 2014-12-25 15:00:00 2014-12-25T15:00:00Z File size and file path are self-explanatory, but there are some spe- cial issues to take care about. Refer to CAVEATS section below for more detail. OPTIONS -o, --output=FILE Write output to FILE. -x, --xml Output in XML format instead of tab-delimited values. With XML mode, all plain text options are disallowed, and result is al- ways in UTF-8 encoding. See below for plain text options. -l, --legacy-filename=CODEPAGE Show legacy filename if available (like "D:\Progra~1\"), and specify the CODEPAGE used in the Windows system producing this INFO2 file. Any encodings supported by iconv(1) can be used, though for maximum accuracy of file name results, it is better to stick with Microsoft codepages (such as CP850 or CP1252 for west European version, CP932 for Japanese, etc). Note: This option is mandatory if INFO2 file is created by Win- dows 95, 98 or ME, since recycle bins under these OS don't con- tain Unicode file name. This option does not exist in rifiuti- vista. -z, --localtime Present deletion time in numeric time zone of local system run- ning the program. By default, UTC time is displayed, which is the time value recorded in index files. Using the X'mas example above, the time for Berlin (without daylight saving time) would be 2014-12-25T16:00:00+0100 in ISO 8601 format. Note: It is possible to use any timezone of users' choice by setting $TZ environment variable, though not recommended. See ENVIRONMENT VARIABLE section below. PLAIN TEXT OUTPUT OPTIONS -t, --delimiter=STRING String to use as delimiter (TAB by default). Other than normal characters, several escape sequences are also recognised: \r (carriage return) \n (line feed) \t (tab) \e (escape) -n, --no-heading Don't show recycle bin path name, metadata and field headers -8, --always-utf8 (Option deprecated since 0.7.0 version) MISCELLANEOUS OPTIONS -v, --version Print version information and exit. -h, --help Show help options and exit. --help-all Show all help options and exit. --help-text Show plain text output options and exit. EXAMPLES rifiuti-vista -x -z -o result.xml \case\S-1-2-3\ Scan for index files under \case\S-1-2-3\, adjust all deletion time for local time zone, and write XML output to result.xml rifiuti-vista -n \case\S-1-2-3\ Show tab-delimited result on screen without header and metadata rifiuti-vista -t '\r\n' \case\S-1-2-3\$IF96NJ3.rtf Only analyse a single index file and print each field in its own line rifiuti -t ',' -o result.csv INFO2 Change tab-delimited result to comma-delimited and write to re- sult.csv rifiuti -l CP1255 -n INFO2 Assuming INFO2 from Hebrew version of Windows, display 8.3 file names without header and metadata ENVIRONMENT VARIABLES The following environment variables affect execution of program: LANG / LC_MESSAGES / LC_ALL / LANGUAGE Listed in order of increasing importance, these variables deter- mine the translation to use. They belong to the group of locale environment variables. In general, these variables are already properly set up on Unix-like systems, while unused on Windows. Please consult relevant document of user's operating system for more detail. LANG / LC_CTYPE / LC_ALL If recycle bin path contains non-ASCII character, these vari- ables affect how they are displayed, in a manner similar to translation related variables described above. However it is not recommended to modify them, as since 0.7.0 version rifiuti2 no more expects any environment using non UTF-8 encoding. RIFIUTI_DEBUG Setting it to any non-empty value would cause programs to print more debugging output to stderr. TZ If non-empty, indicate user-specified time zone when -z option is used. Normally the time zone information is obtained from system and there is no need to set this variable. However, it can be used as a facility to temporarily override timezone for some programs, which can be used for situations like construct- ing timeline event. This value is OS dependent. For example, for timezone in Los An- geles, the value for Windows is "PST8PDT", while corresponding value on Linux would be "America/Los_Angeles". Please consult manual for your operating system for more info. Please see CAVEATS section below for problems when using this variable. EXIT STATUS Both programs return 0 on success, and greater than 0 if error occurs. In particular, rifiuti-vista would exit with the latest non-zero status when error is encountered in any of the index files. 1 Wrong command line argument 2 Error when opening file or directory 3 Recycle bin data fails basic validation 4 Error when writing output to file 5 User supplied wrong encoding for legacy path HISTORY Rifiuti2 is a rewrite of rifiuti, a tool of identical purpose written by Foundstone which was later purchased by McAfee. Quoting from the original FoundStone page: Many computer crime investigations require the reconstruction of a subject's Recycle Bin. Since this analysis technique is exe- cuted regularly, we researched the structure of the data found in the Recycle Bin repository files (INFO2 files). Rifiuti, the Italian word meaning "trash", was developed to examine the con- tents of the INFO2 file in the Recycle Bin. ... Rifiuti is built to work on multiple platforms and will execute on Windows (through Cygwin), Mac OS X, Linux, and *BSD platforms. However, since the original rifiuti (last updated 2004) can't analyze recycle bin from any localized version of Windows (restricted to Eng- lish), this rewrite effort is born to overcome the limitation. Later rifiuti2 was improved to add support for Vista format recycle bin, XML output and other extra features not available from original version. CAVEATS In very special circumstance (which author can't reproduce now), index file of certain deleted item can be corrupt, causing incorrect deleted file size to be stored. There is no way to report correct size. This problem was only observed in Vista though, not any other versions of Window. Non-ASCII deleted item path name may not be always displayed appropri- ately on console. Although great care is taken to display path name as much as possible (resorting to escaped hex <\XX> or escaped unicode <\uXXXX> in case of invalid or invisible characters), the font used in console might not be able to display all characters needed. Dumping re- sult into file and open with UTF-8 capable text editor is an option. It is always better to use UTC time whenever possible, because calcula- tion of local time might not be correct, especially for non-US users. Documentation of _tzset() function on Windows has this statement: The C run-time library assumes the United States' rules for im- plementing the calculation of daylight saving time (DST). Since the difference between standard time and DST is hardcoded to be one hour (which is incorrect for a few selected regions), the file deletion time might not be correct for these regions when DST is in ef- fect. File size can mean the real size of deleted file, or the cluster size it occupies on filesystem, depending on recycle bin format. As a rule of thumb, if all sizes of entries are multiples of 512, it can be as- sumed the concerned sizes refer to cluster size. REPORTING BUGS Report bugs to https://github.com/abelcheung/rifiuti2/issues Information about rifiuti2 can be found on https://abelcheung.github.io/rifiuti2/ SEE ALSO Open Digital Evidence Search and Seizure Architecture project, which contains the original rifiuti tool http://odessa.sourceforge.net/ Windows 10 Recycle Bin Index Structure, by BlackBag Technologies https://www.blackbagtech.com/blog/2017/01/19/examining-the-win- dows-10-recycle-bin/ $Recycle.Bin Forensics for Windows 7 and Windows Vista, by Timothy R. Leschke https://pdfs.semanticschol- ar.org/db62/a02a2f90c569200bf37ead369221e04393d8.pdf INFO2 recycle bin file example, by Steve Hailey http://www.cyber-ssct.com/resources/INFO2.pdf COPYRIGHT Part of the work of rifiuti2 is derived from Rifiuti. Both pieces of software are licensed under the simplified BSD license. AUTHOR The main author of rifiuti2 is Abel Cheung <abelcheung@gmail.com> The original author of rifiuti is Keith J. Jones <keith.jones@foundstone.com> Anthony Wong <ypwong@debian.org> helped in Debian packaging and was au- thor of the original manpage. 0.7.0 May 2015 RIFIUTI2(1)
NAME | SYNOPSIS | DESCRIPTION | OPTIONS | EXAMPLES | ENVIRONMENT VARIABLES | EXIT STATUS | HISTORY | CAVEATS | REPORTING BUGS | SEE ALSO | COPYRIGHT | AUTHOR
Want to link to this manual page? Use this URL:
<https://man.freebsd.org/cgi/man.cgi?query=rifiuti-vista&sektion=1&manpath=FreeBSD+Ports+15.0.quarterly>