Recycle Bin Forensics
You may think that when you hit the delete button on the keyboard the file gets deleted from the disk for ever?
Delete: When we simply delete a file we are throwing that file in the recycle bin of that particular volume. For example, if file resides in C:\ drive having FAT32 as file system and we delete a file of C:\ drive then that file will move to C:\Recycled. But if it is an NTFS volume then the file will move to \Recycler\.
Shift+Delete: When we hit Shift+Delete the file will not move to Recycled or Recycler. Instead it will by pass these two folders and will simply be deleted. In such scenarios the user does not have an option to restore a file from these two folders.
However forensics tells us the files are NOT actually deleted. The deleted files still exist on the hard disk but the pointer pointing to that file is deleted. The pointer information is stored by the INFO2 record which cannot be seen by a normal user. To view the INFO2 file use ATTRIB -r -s -h info2. We can also use a third party tool like for rifiuti to see whats written in the INFO2 file. Italian dictionary says rifiuti means trash. Thanks to Keith J. Jones for developing this wonderful tool. Rifuti can be downloaded from here.
