rifiuti2 v0.8: Windows Recycle Bin analyser
Rifiuti2 is a for analyzing Windows Recycle Bin INFO2 file. Analysis of Windows Recycle Bin is usually carried out during Windows computer forensics. Rifiuti2 can extract file deletion time, original path and size of deleted files and whether the trashed files have been permanently removed.
It is a rewrite of rifiuti, which is originally written by FoundStone folks for the identical purpose. Then it was extended to cover more functionalities, such as:
- Handles oldest (Win95) to newest (Win 10 and Server 2019) recycle bin format
- Windows 95 – 2003 uses a single index file named INFO or INFO2
- Vista or above use one index file for each deleted item
- 64-bit file size support
- Supports all localized versions of Windows — both Unicode-based ones and legacy ones (using ANSI code page)
- Supports output in XML format as well as original tab-delimited text
- Obscure features such as recycle bin on a network share (\\server\share_name)
Changelog v0.8
Message for Windows binary downloaders
If you are still using very old 64-bit Windows (Windows 7 or 8.0), and the 64 bit binary is not usable, please:
- Try installaing Universal C Runtime update for your Windows version and reboot first. If that still doesn’t work,
- Download 32 bit version instead.
Binaries are automatically created and distributed by GitHub.
Message for packagers
- As a result of major revamps below (all breaking changes), package maintainers need to rewrite their package files. See compile instructions and GitHub workflow file for reference.
- All released files are signed with minisign using the following public key:
RWTt1Y4tn6M8c1WFrOZG1IylmJ6njWcNzILDBlUAMVzU/JTotU1DKLdK
For example, to verify rifiuti2-0.8.0-Source.tar.xz, use following command after downloading both the source archive and .minisig file:
minisign -Vm rifiuti2-0.8.0-Source.tar.xz -P RWTt1...
Breaking Change
- (#21) Adopts CMake as build system, and drop Autoconf/Automake completely. Document files have been restructured as well.
- (#18) Gettext support is removed, its m4 macro versioning is placing a burden on maintainers and packagers.
- Same for the translation. No contribution so far, probably this is unneeded.
Feature
- (#3) Implement live system inspection on Windows
- (#32)
$Recycle.binalso shows extra field like oldINFO2files do, displaying whether some trashed entries have been restored, leaving only the index file present inside$Recycle.bin
Bug Fix and minor change
- (#28) Fix crash on big endian platform due to incorrect string length check
- (#19, #34) Avoid printing garbage under Windows command prompt
- (#22) Manpage is retired, referring users to GitHub repository and online docs
- (Variation of #17) Program name shown as
(null)in Windows GUI help dialog - (#37) XML output for 95/NT
INFOnow contains total entries ever existed field
Download
Use
rifiuti2 is designed to be portable and runs on a command-line environment. Depending on relevant Windows recycle bin format, there are 2 binaries to choose from (most users would want the first one):
| Program | Recycle bin from OS | Purpose |
|---|---|---|
| rifiuti-vista | Vista – Win10 | Scans \$Recycle.bin style folder |
| rifiuti | Win95 – XP/2003 | Reads INFO or INFO2 file in \RECYCLED or \RECYCLER folder |
Run programs without any option for more detail. Here are some more frequently used options:
| Option | Purpose |
|---|---|
| -o <FILE> | Output to file |
| -x | Output XML instead of tab-separated fields |
| -l <CP> | Display legacy (8.3) filenames and specify its codepage |
Copyright (C) 2007-2019 Abel Cheung
