Documentation
Background on the Windows Recycle Bin and how this tool works.
Convert a Windows FILETIME deletion timestamp to a readable date
What the 64-bit FILETIME in a Recycle Bin $I file means, how to convert it to a UTC date by hand, and why timezone handling matters for forensic timelines.
$I vs $R files: what's the difference in the Recycle Bin?
How the paired $I metadata file and $R content file work together inside the Windows $Recycle.Bin, and why forensics relies on both.
Is the $Recycle.Bin folder a virus? Can I safely delete it?
Why the hidden $Recycle.Bin folder appears on every drive (including USB sticks), whether it is malware, and what actually happens if you delete it.
How to recover deleted files from the Recycle Bin (even after emptying)
Restore files from the Windows Recycle Bin, and understand what is still recoverable on disk after you empty it — using the $I metadata as your map.
What is the Windows Recycle Bin? ($Recycle.Bin explained)
A practitioner's tour of the Windows $Recycle.Bin folder, the $I and $R files inside it, and why it matters for digital forensics and file recovery.
How to parse $I Recycle Bin files (no install)
Three ways to read Windows $I Recycle Bin metadata — a browser parser with zero install, Eric Zimmerman's RBCmd, and a quick manual hex walkthrough.
The $I file format explained (v1 & v2 byte layout)
Byte-level layout of the Windows Recycle Bin $I index file across Windows Vista through Windows 11 — header, file size, FILETIME, and the original path.
Where is the Recycle Bin located on disk in Windows?
The exact filesystem path of the Windows Recycle Bin, why it is hidden, and how to acquire $I/$R files from a live machine or forensic image.
Using the Recycle Bin in a forensic investigation
What the Windows Recycle Bin proves in a DFIR case — intentional deletion, anti-forensic behaviour, suspect timelines — with a worked example.
Recycle Bin SID subfolders explained
Why $Recycle.Bin contains folders with long S-1-5-21 names, how to map a SID to a Windows user, and what that means for deletion attribution.