Windows Forensics How to use Recycle Bin Tool "Rifiuti"??

Hi there! Does anyone knows how to properly utilize the "Rifiuti" tool which originated from McAfee Foundstone? I have tried it on a Windows XP platform but it does not output any results.

I have carefully followed the instructions on the man page but the program still does not output anything. The NTFS drive that I have used the tool is not encrypted therefore it should show some results. Can someone please advise on the proper codes or commands? Thanks!

The various commands that I have tried:

C:\RECYCLER\S-1-5-21-1004336348-1958367476-839522115-1003>dir /a
 Volume in drive C has no label.
 Volume Serial Number is B415-07D3

 Directory of C:\RECYCLER\S-1-5-21-1004336348-1958367476-839522115-1003

07/04/2008  12:46 PM    <DIR>          .
07/04/2008  12:46 PM    <DIR>          ..
07/04/2008  12:46 PM                65 desktop.ini
07/04/2008  12:46 PM                20 INFO2
               2 File(s)             85 bytes
               2 Dir(s)  111,852,953,600 bytes free

.exe INFO2



Usage:  rifiuti [options] <filename>
        -d Field Delimiter (TAB by default)

Open in new window

Another similar command:

C:\temp\rc\bin>rifiuti.exe C:\RECYCLER\S-1-5-21-1004336348-1958367476-839522115-
INFO2 File: C:\RECYCLER\S-1-5-21-1004336348-1958367476-839522115-1003\INFO2


Open in new window

Who is Participating?
torimarConnect With a Mentor Commented:
Your recycle bin is empty (apart from the obligatory desktop.ini and INFO2). Hence there is no data for the tool to output.

This is not so much a forensics tool as an analysis helper; it does not give you a "history" of the recycle bin in any way - if that is what you were after. It only analyses the INFO2 file which keeps a record on the current recycle bin items, as far as their original location, time deleted, size etc. are concerned.
VMthinkerAuthor Commented:
@tor However when I used a windows explorer to navigate to the folder, I could see deleted files in there.
You used the "dir" command above, and that did not show any deleted contents. Only the two hidden system files.
Improved Protection from Phishing Attacks

WatchGuard DNSWatch reduces malware infections by detecting and blocking malicious DNS requests, improving your ability to protect employees from phishing attacks. Learn more about our newest service included in Total Security Suite today!

VMthinkerAuthor Commented:
Wierd though I used the dir /a command....
btanExec ConsultantCommented:
can see this PDF (link below) and it mentioned that INFO2 has the first record size found in 0x0C bytes from the start. Thereafter, the path of the deleted item and others would be found. Noticed that your INFO2 size is only 20bytes, I doubt it contained what you are looking for especially if the deleted items total size already exceed the INFO2 file size.


The PDF also show the use of the Rifiuti tool. Possibility you may be in the wrong folder containing the INFO2 especially if this machine is multi-user etc. The correct folder based on user SID will locate the correct SID, you can double check this SID in your listed path using the PsGetSid tool.

btanConnect With a Mentor Exec ConsultantCommented:
thought I also share Rifiuti2 but I believe it should not be the tool if you try it on other machine as well.


As its name indicates, rifiuti2 is a rewrite of rifiuti, Rifiuti (last updated 2004) is restricted to English version of Windows (fail to analyze any non-latin character), thus this rewrite. It also Supports Windows file names in any languages, Supports Vista and Windows 2008 “$Recycle.Bin” (no more uses INFO2 file), Enables localization (that is, translatable) by using glib, More rigorous error checking, Supports output in XML format.
VMthinkerAuthor Commented:
If there are clear commands to troubleshoot the problem it would be excellent.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.