← All docs

What is the Windows Recycle Bin? ($Recycle.Bin explained)

2 min read

The Windows Recycle Bin is one of the cheapest, highest-yield artefacts on a workstation. Every $I row pins a file to a name, a path, a size and a UTC second. It is the artefact that ends "the file was never on this machine" defences faster than any other.

What Windows actually does when you press Delete

On any NTFS volume, Vista and later route shell-deleted files into a hidden, system-protected folder at the volume root: $Recycle.Bin. The file is not erased. It is split in two:

  • $R… — the original file content, renamed.
  • $I… — a tiny index file holding metadata: the original full path, the original size in bytes, and the deletion timestamp as a 64-bit Windows FILETIME.

Deleting C:\Users\alice\Documents\report.pdf produces something like $IA1B2C3.pdf and $RA1B2C3.pdf under C:\$Recycle.Bin\<user-SID>\. The random 6-character identifier is the same on both partners — swap the leading letter to find one from the other.

Why the $I carries more weight than people think

Restoration is what users care about. Investigators care about the inverse: even when the $R content is gone (wiped, recovered, or carved by someone else first), the surviving $I still proves the file existed, where it lived, how big it was, and when it left. That is admissible proof of deletion without the file itself.

Pair the $I deletion timestamp with the MFT $STANDARD_INFORMATION and $FILE_NAME timestamps to build the file's full lifecycle. The USN journal often records the matching USN_REASON_FILE_DELETE | USN_REASON_CLOSE for the original path. If the file was last opened by the user, the jump list and LNK files round out the story.

What is not in the bin

  • Shift+Delete bypasses the Recycle Bin entirely. No $I row will exist. Absence is itself a finding worth noting.
  • FAT32 and exFAT volumes (most USB sticks formatted on Windows) do not have a $Recycle.Bin. Files there are deleted immediately at the filesystem level.
  • Files larger than the per-user bin quota are auto-Shift+Deleted by the shell. The quota lives in HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket.

Further reading

Frequently asked questions

What is the $Recycle.Bin folder?
$Recycle.Bin is a hidden, system-protected folder at the root of every NTFS volume (e.g. C:\$Recycle.Bin). Windows Vista and later move deleted files here instead of erasing them, splitting each into a $I metadata file and a $R content file.
Is a deleted file really gone after emptying the Recycle Bin?
Emptying the bin removes the $I and $R entries, but the underlying disk clusters are only marked free. Until they are overwritten, file-recovery and forensic tools can often still recover the data.
Why is the Recycle Bin important in digital forensics?
Each $I record proves a file with a specific name, size, and original path existed and records exactly when it was deleted — often the only timeline evidence that a file was intentionally removed.
Can I read $I files without installing software?
Yes. This site parses $I files entirely in your browser with WebAssembly — nothing is uploaded. Drop a file on the home page to decode it.