Ubuntu Manpage: rifiuti2 - MS Windows recycle bin analysis tool

NAME

       rifiuti2 - MS Windows recycle bin analysis tool

SYNOPSIS

       rifiuti or rifiuti-vista [-hv]

       rifiuti [-x | [-n] [-t delim]] [-z] [-l codepage] [-o outfile] filename

       rifiuti-vista [-x | [-n] [-t delim]] [-z] [-o outfile] file_or_directory

DESCRIPTION

Rifiuti2 analyse recycle bin files from Windows. Analysis of Windows recycle bin is usually carried out
during Windows computer forensics. Rifiuti2 can extract file deletion time, original path and size of
deleted files and whether the deleted files have been moved out from the recycle bin since they are
trashed.

Rifiuti2 supports a wide range of Windows versions, from Windows 95 to Windows 10. The command used for
analysis depends on the version of Windows producing the recycle bin (not the version of users' system!),
which uses vastly different format before and after Vista:

rifiuti-vista
For Vista or later, which is located in \$Recycle.bin\<SID>\. Each deleted file has its own ac‐
companied index file remembering the original path, file size and deletion time. If original file
is permanentsly deleted, so is the index file.

rifiuti
For Windows 95 to XP/2003, which uses a single index file named INFO2 (98 or above) or INFO (95
and NT4) under either \RECYCLED\ (FAT 16/32) or \RECYCLER\<SID>\ (NTFS). This file keeps track
record for deletion status and info for all deleted items, including those permanently removed or
restored.

By default, both programs dump tab-delimited fields on screen, which can be viewed on screen or imported
into spreadsheet program. -x option instructs program to dump XML formatted content instead.

Since 0.7.0 version, rifiuti2 output is in UTF-8 encoding only, including the case of writing file under
Windows.

Index field has different meaning for pre-Vista and post-Vista versions. INFO2 has an index number for
each of deletion item indicating the chronological order of items. For Vista version, it means the index
file name instead, which matches pattern “$Ixxxxxx.<ext>”, where x is random alphanumeric character, and
<ext> matches the extension of original deleted item.

Deleted time is represented in UTC time by default. Under tab-delimited mode, date/time is presented in
format recognized by spreadsheet programs, while in XML mode ISO 8601 date/time format is used. For ex‐
ample, 3PM at 2014 X'mas represented in these modes would be respectively:
2014-12-25 15:00:00
2014-12-25T15:00:00Z

File size and file path are self-explanatory, but there are some special issues to take care about. Re‐
fer to CAVEATS section below for more detail.

OPTIONS

-o, --output=FILE
Write output to FILE.

-x, --xml
Output in XML format instead of tab-delimited values. With XML mode, all plain text options are
disallowed, and result is always in UTF-8 encoding. See below for plain text options.

-l, --legacy-filename=CODEPAGE
Show legacy filename if available (like “D:\Progra~1\”), and specify the CODEPAGE used in the Win‐
dows system producing this INFO2 file. Any encodings supported by iconv(1) can be used, though for
maximum accuracy of file name results, it is better to stick with Microsoft codepages (such as
CP850 or CP1252 for west European version, CP932 for Japanese, etc).

Note: This option is mandatory if INFO2 file is created by Windows 95, 98 or ME, since recycle
bins under these OS don't contain Unicode file name. This option does not exist in rifiuti-vista.

-z, --localtime
Present deletion time in numeric time zone of local system running the program. By default, UTC
time is displayed, which is the time value recorded in index files. Using the X'mas example above,
the time for Berlin (without daylight saving time) would be 2014-12-25T16:00:00+0100 in ISO 8601
format.

Note: It is possible to use any timezone of users' choice by setting $TZ environment variable,
though not recommended. See ENVIRONMENT VARIABLE section below.

PLAIN TEXT OUTPUT OPTIONS
-t, --delimiter=STRING
String to use as delimiter (TAB by default). Other than normal characters, several escape se‐
quences are also recognised:
\r (carriage return)
\n (line feed)
\t (tab)
\e (escape)

-n, --no-heading
Don't show recycle bin path name, metadata and field headers

-8, --always-utf8
(Option deprecated since 0.7.0 version)

MISCELLANEOUS OPTIONS
-v, --version
Print version information and exit.

-h, --help
Show help options and exit.

--help-all
Show all help options and exit.

--help-text
Show plain text output options and exit.

EXAMPLES

       rifiuti-vista -x -z -o result.xml \case\S-1-2-3\
              Scan for index files under \case\S-1-2-3\, adjust all deletion time for local time zone, and write
              XML output to result.xml

       rifiuti-vista -n \case\S-1-2-3\
              Show tab-delimited result on screen without header and metadata

       rifiuti-vista -t '\r\n' \case\S-1-2-3\$IF96NJ3.rtf
              Only analyse a single index file and print each field in its own line

       rifiuti -t ',' -o result.csv INFO2
              Change tab-delimited result to comma-delimited and write to result.csv

       rifiuti -l CP1255 -n INFO2
              Assuming INFO2 from Hebrew version of Windows, display 8.3 file names without header and metadata

ENVIRONMENT VARIABLES

The following environment variables affect execution of program:

LANG / LC_MESSAGES / LC_ALL / LANGUAGE
Listed in order of increasing importance, these variables determine the translation to use. They
belong to the group of locale environment variables. In general, these variables are already prop‐
erly set up on Unix-like systems, while unused on Windows. Please consult relevant document of
user's operating system for more detail.

LANG / LC_CTYPE / LC_ALL
If recycle bin path contains non-ASCII character, these variables affect how they are displayed,
in a manner similar to translation related variables described above. However it is not recommend‐
ed to modify them, as since 0.7.0 version rifiuti2 no more expects any environment using non UTF-8
encoding.

RIFIUTI_DEBUG
Setting it to any non-empty value would cause programs to print more debugging output to stderr.

TZ
If non-empty, indicate user-specified time zone when -z option is used. Normally the time zone in‐
formation is obtained from system and there is no need to set this variable. However, it can be
used as a facility to temporarily override timezone for some programs, which can be used for situ‐
ations like constructing timeline event.

This value is OS dependent. For example, for timezone in Los Angeles, the value for Windows is
“PST8PDT”, while corresponding value on Linux would be “America/Los_Angeles”. Please consult manu‐
al for your operating system for more info.

Please see CAVEATS section below for problems when using this variable.

EXIT STATUS

       Both programs return 0 on success, and greater than 0 if error occurs.

       In  particular, rifiuti-vista would exit with the latest non-zero status when error is encountered in any
       of the index files.

       1      Wrong command line argument

       2      Error when opening file or directory

       3      Recycle bin data fails basic validation

       4      Error when writing output to file

       5      User supplied wrong encoding for legacy path

HISTORY

       Rifiuti2 is a rewrite of rifiuti, a tool of identical purpose written by Foundstone which was later  pur‐
       chased by McAfee. Quoting from the original FoundStone page:

              Many  computer  crime  investigations require the reconstruction of a subject's Recycle Bin. Since
              this analysis technique is executed regularly, we researched the structure of the  data  found  in
              the Recycle Bin repository files (INFO2 files). Rifiuti, the Italian word meaning "trash", was de‐
              veloped to examine the contents of the INFO2 file in the Recycle Bin. ... Rifiuti is built to work
              on  multiple  platforms  and  will  execute on Windows (through Cygwin), Mac OS X, Linux, and *BSD
              platforms.

       However, since the original rifiuti (last updated 2004) can't analyze recycle bin from any localized ver‐
       sion of Windows (restricted to English), this rewrite effort is born to overcome  the  limitation.  Later
       rifiuti2  was  improved  to add support for Vista format recycle bin, XML output and other extra features
       not available from original version.

CAVEATS

In very special circumstance (which author can't reproduce now), index file of certain deleted item can
be corrupt, causing incorrect deleted file size to be stored. There is no way to report correct size.
This problem was only observed in Vista though, not any other versions of Window.

Non-ASCII deleted item path name may not be always displayed appropriately on console. Although great
care is taken to display path name as much as possible (resorting to escaped hex <\XX> or escaped unicode
<\uXXXX> in case of invalid or invisible characters), the font used in console might not be able to dis‐
play all characters needed. Dumping result into file and open with UTF-8 capable text editor is an op‐
tion.

It is always better to use UTC time whenever possible, because calculation of local time might not be
correct, especially for non-US users. Documentation of _tzset() function on Windows has this statement:
The C run-time library assumes the United States' rules for implementing the calculation of day‐
light saving time (DST).
Since the difference between standard time and DST is hardcoded to be one hour (which is incorrect for a
few selected regions), the file deletion time might not be correct for these regions when DST is in ef‐
fect.

File size can mean the real size of deleted file, or the cluster size it occupies on filesystem, depend‐
ing on recycle bin format. As a rule of thumb, if all sizes of entries are multiples of 512, it can be
assumed the concerned sizes refer to cluster size.

REPORTING BUGS

       Report bugs to

              https://github.com/abelcheung/rifiuti2/issues

       Information about rifiuti2 can be found on

              https://abelcheung.github.io/rifiuti2/

COPYRIGHT

       Part  of  the  work  of rifiuti2 is derived from Rifiuti.  Both pieces of software are licensed under the
       simplified BSD license.

AUTHOR

       The main author of rifiuti2 is Abel Cheung <abelcheung@gmail.com>

       The original author of rifiuti is Keith J. Jones <keith.jones@foundstone.com>

       Anthony Wong <ypwong@debian.org> helped in Debian packaging and was author of the original manpage.

0.7.0                                               May 2015                                         RIFIUTI2(1)