What is the difference between $I and $R files?

The $I file is metadata only — original path, size, and deletion time. The $R file holds the actual deleted content. They share the same identifier so $I and $R always come as a pair.

How are $I and $R files named?

Both start with $I or $R, followed by the same random identifier and the original extension, e.g. $IA1B2C3.docx and $RA1B2C3.docx. Swap the I for an R to find the partner file.

Can I open a $R file directly?

Yes — a $R file is a byte-for-byte copy of the original. Rename it (or copy it) without the $R prefix and it opens normally. The $I file is what tells you its true original name and location.

What if the $R file is missing but the $I file exists?

That happens after a partial empty or carving. The $I record still proves the file existed, its size, and its deletion time — valuable evidence even without the content.

$I vs $R files: what's the difference in the Recycle Bin?

Every Recycle Bin entry on Windows Vista and later is a pair: one metadata file and one content file. Both sit in the user's SID subfolder under $Recycle.Bin. Knowing which is which decides whether you have content, context, or both.

The two halves

File	Role	What it holds
`$I…`	Index	Original path, original size, deletion FILETIME
`$R…`	Recovery	The deleted file's content, byte-for-byte

Both names share a 6-character random identifier and the original extension. Swap the leading letter and you have the partner:

$IA1B2C3.docx   ← 544-byte metadata header (v1) or variable header (v2)
$RA1B2C3.docx   ← identical byte length to the original document

Why the split exists

The shell wants to show the user "report.pdf" in the Recycle Bin, even though on disk the file is now $RA1B2C3.pdf somewhere else. The $I lets Explorer render the original name and folder without touching the content. A Restore is then a cheap rename + move driven by the $I path — no copy, no re-hash.

For investigation that split is convenient too: an $I is 544 bytes (v1) or a few hundred (v2), so you can pull thousands of them off an image quickly and triage them independently of the $R blobs.

Forensic value of each, taken alone

$R alone tells you the content but not where it came from or when it left. You can still hash it, scan it with YARA, or carve the filesystem for the original path.
$I alone tells you the original path, size, and exact deletion time. Even after a "Restore" sends the $R back, even after a wiper shredded the content, the $I survives until the bin is emptied.

Together they reconstruct the full deletion event with hash verification.

When the pair breaks

You will see lopsided cases regularly:

$I without $R. Partial-empty operations, anti-forensic content wipers (BCWipe, sdelete -p 3 -z), or someone carving and removing the content. The $I is enough to prove existence and timing.
$R without $I. Usually a shell glitch or a tool that imported files into the bin folder directly. Treat it as orphan content; pivot to the MFT for the original path.
Mismatched sizes. If the $I says 4 MB and the $R is 0, the content was wiped in place. Worth its own line in the report.

$I vs $R files: what's the difference in the Recycle Bin?

The two halves

Why the split exists

Forensic value of each, taken alone

When the pair breaks

Further reading

Frequently asked questions