Provided by: rifiuti2_0.7.0-4_amd64 bug

NAME

       rifiuti2 - MS Windows recycle bin analysis tool

SYNOPSIS

       rifiuti or rifiuti-vista [-hv]

       rifiuti [-x | [-n] [-t delim]] [-z] [-l codepage] [-o outfile] filename

       rifiuti-vista [-x | [-n] [-t delim]] [-z] [-o outfile] file_or_directory

DESCRIPTION

       Rifiuti2  analyse  recycle  bin  files  from  Windows.  Analysis of Windows recycle bin is
       usually carried out during Windows computer forensics. Rifiuti2 can extract file  deletion
       time,  original  path  and  size  of deleted files and whether the deleted files have been
       moved out from the recycle bin since they are trashed.

       Rifiuti2 supports a wide range of Windows versions, from Windows 95  to  Windows  10.  The
       command used for analysis depends on the version of Windows producing the recycle bin (not
       the version of users' system!), which uses vastly different format before and after Vista:

       rifiuti-vista
              For Vista or later, which is located in \$Recycle.bin\<SID>\.   Each  deleted  file
              has  its  own  accompanied  index file remembering the original path, file size and
              deletion time.  If original file is permanentsly deleted, so is the index file.

       rifiuti
              For Windows 95 to XP/2003, which uses a single index file named INFO2 (98 or above)
              or  INFO  (95  and  NT4)  under  either  \RECYCLED\ (FAT 16/32) or \RECYCLER\<SID>\
              (NTFS).  This file keeps track record for deletion status and info for all  deleted
              items, including those permanently removed or restored.

       By  default,  both  programs  dump  tab-delimited fields on screen, which can be viewed on
       screen or imported into spreadsheet program. -x  option  instructs  program  to  dump  XML
       formatted content instead.

       Since  0.7.0  version,  rifiuti2  output  is in UTF-8 encoding only, including the case of
       writing file under Windows.

       Index field has different meaning for pre-Vista and post-Vista  versions.   INFO2  has  an
       index  number  for  each of deletion item indicating the chronological order of items. For
       Vista  version,  it  means  the  index  file   name   instead,   which   matches   pattern
       “$Ixxxxxx.<ext>”,  where  x  is  random  alphanumeric  character,  and  <ext>  matches the
       extension of original deleted item.

       Deleted time is represented in UTC time by default. Under tab-delimited mode, date/time is
       presented  in  format  recognized  by  spreadsheet  programs,  while  in XML mode ISO 8601
       date/time format is used.  For example, 3PM at 2014 X'mas represented in these modes would
       be respectively:
              2014-12-25 15:00:00
              2014-12-25T15:00:00Z

       File  size  and  file path are self-explanatory, but there are some special issues to take
       care about.  Refer to CAVEATS section below for more detail.

OPTIONS

       -o, --output=FILE
              Write output to FILE.

       -x, --xml
              Output in XML format instead of tab-delimited values.  With  XML  mode,  all  plain
              text options are disallowed, and result is always in UTF-8 encoding.  See below for
              plain text options.

       -l, --legacy-filename=CODEPAGE
              Show legacy filename if available (like “D:\Progra~1\”), and specify  the  CODEPAGE
              used  in  the  Windows system producing this INFO2 file. Any encodings supported by
              iconv(1) can be used, though for maximum accuracy  of  file  name  results,  it  is
              better to stick with Microsoft codepages (such as CP850 or CP1252 for west European
              version, CP932 for Japanese, etc).

              Note: This option is mandatory if INFO2 file is created by Windows 95,  98  or  ME,
              since recycle bins under these OS don't contain Unicode file name. This option does
              not exist in rifiuti-vista.

       -z, --localtime
              Present deletion time in numeric time zone of local system running the program.  By
              default,  UTC  time  is displayed, which is the time value recorded in index files.
              Using the X'mas example above, the time for Berlin (without daylight  saving  time)
              would be 2014-12-25T16:00:00+0100 in ISO 8601 format.

              Note:  It  is  possible  to  use  any  timezone  of  users'  choice  by setting $TZ
              environment variable, though not recommended.   See  ENVIRONMENT  VARIABLE  section
              below.

   PLAIN TEXT OUTPUT OPTIONS
       -t, --delimiter=STRING
              String  to use as delimiter (TAB by default). Other than normal characters, several
              escape sequences are also recognised:
              \r (carriage return)
              \n (line feed)
              \t (tab)
              \e (escape)

       -n, --no-heading
              Don't show recycle bin path name, metadata and field headers

       -8, --always-utf8
              (Option deprecated since 0.7.0 version)

   MISCELLANEOUS OPTIONS
       -v, --version
              Print version information and exit.

       -h, --help
              Show help options and exit.

       --help-all
              Show all help options and exit.

       --help-text
              Show plain text output options and exit.

EXAMPLES

       rifiuti-vista -x -z -o result.xml \case\S-1-2-3\
              Scan for index files under \case\S-1-2-3\, adjust all deletion time for local  time
              zone, and write XML output to result.xml

       rifiuti-vista -n \case\S-1-2-3\
              Show tab-delimited result on screen without header and metadata

       rifiuti-vista -t '\r\n' \case\S-1-2-3\$IF96NJ3.rtf
              Only analyse a single index file and print each field in its own line

       rifiuti -t ',' -o result.csv INFO2
              Change tab-delimited result to comma-delimited and write to result.csv

       rifiuti -l CP1255 -n INFO2
              Assuming  INFO2  from  Hebrew  version  of  Windows, display 8.3 file names without
              header and metadata

ENVIRONMENT VARIABLES

       The following environment variables affect execution of program:

       LANG / LC_MESSAGES / LC_ALL / LANGUAGE
              Listed in order of increasing importance, these variables determine the translation
              to use. They belong to the group of locale environment variables. In general, these
              variables are already properly  set  up  on  Unix-like  systems,  while  unused  on
              Windows.   Please  consult  relevant  document  of user's operating system for more
              detail.

       LANG / LC_CTYPE / LC_ALL
              If recycle bin path contains non-ASCII character, these variables affect  how  they
              are  displayed,  in  a  manner  similar  to translation related variables described
              above. However it is not  recommended  to  modify  them,  as  since  0.7.0  version
              rifiuti2 no more expects any environment using non UTF-8 encoding.

       RIFIUTI_DEBUG
              Setting  it  to  any  non-empty  value would cause programs to print more debugging
              output to stderr.

       TZ
              If non-empty, indicate user-specified time zone when -z option  is  used.  Normally
              the  time zone information is obtained from system and there is no need to set this
              variable. However, it can be used as a facility to  temporarily  override  timezone
              for  some  programs,  which  can  be used for situations like constructing timeline
              event.

              This value is OS dependent. For example, for timezone in Los Angeles, the value for
              Windows   is   “PST8PDT”,   while   corresponding   value   on   Linux   would   be
              “America/Los_Angeles”. Please consult manual for your  operating  system  for  more
              info.

              Please see CAVEATS section below for problems when using this variable.

EXIT STATUS

       Both programs return 0 on success, and greater than 0 if error occurs.

       In  particular,  rifiuti-vista  would  exit  with the latest non-zero status when error is
       encountered in any of the index files.

       1      Wrong command line argument

       2      Error when opening file or directory

       3      Recycle bin data fails basic validation

       4      Error when writing output to file

       5      User supplied wrong encoding for legacy path

HISTORY

       Rifiuti2 is a rewrite of rifiuti, a tool of identical purpose written by Foundstone  which
       was later purchased by McAfee. Quoting from the original FoundStone page:

              Many  computer  crime  investigations  require  the  reconstruction  of a subject's
              Recycle Bin. Since this analysis technique is executed regularly, we researched the
              structure  of  the  data  found  in the Recycle Bin repository files (INFO2 files).
              Rifiuti, the Italian word meaning "trash", was developed to examine the contents of
              the  INFO2  file  in  the  Recycle  Bin.  ...  Rifiuti is built to work on multiple
              platforms and will execute on Windows (through Cygwin), Mac OS X, Linux,  and  *BSD
              platforms.

       However, since the original rifiuti (last updated 2004) can't analyze recycle bin from any
       localized version of Windows (restricted to English),  this  rewrite  effort  is  born  to
       overcome  the  limitation.  Later  rifiuti2  was  improved to add support for Vista format
       recycle bin, XML output and other extra features not available from original version.

CAVEATS

       In very special circumstance (which author can't reproduce now),  index  file  of  certain
       deleted item can be corrupt, causing incorrect deleted file size to be stored. There is no
       way to report correct size.  This problem was only observed in Vista though, not any other
       versions of Window.

       Non-ASCII  deleted  item  path  name may not be always displayed appropriately on console.
       Although great care is taken to display path  name  as  much  as  possible  (resorting  to
       escaped hex <\XX> or escaped unicode <\uXXXX> in case of invalid or invisible characters),
       the font used in console might not be able  to  display  all  characters  needed.  Dumping
       result into file and open with UTF-8 capable text editor is an option.

       It  is  always better to use UTC time whenever possible, because calculation of local time
       might not be correct, especially for non-US users.  Documentation of _tzset() function  on
       Windows has this statement:
              The  C  run-time  library  assumes  the  United  States' rules for implementing the
              calculation of daylight saving time (DST).
       Since the difference between standard time and DST is hardcoded to be one hour  (which  is
       incorrect  for  a  few  selected regions), the file deletion time might not be correct for
       these regions when DST is in effect.

       File size can mean the real size of deleted file, or  the  cluster  size  it  occupies  on
       filesystem,  depending  on recycle bin format. As a rule of thumb, if all sizes of entries
       are multiples of 512, it can be assumed the concerned sizes refer to cluster size.

REPORTING BUGS

       Report bugs to

              https://github.com/abelcheung/rifiuti2/issues

       Information about rifiuti2 can be found on

              https://abelcheung.github.io/rifiuti2/

SEE ALSO

       Open Digital Evidence Search and Seizure Architecture project, which contains the original
       rifiuti tool
              http://odessa.sourceforge.net/

       Windows 10 Recycle Bin Index Structure, by BlackBag Technologies
              https://www.blackbagtech.com/blog/2017/01/19/examining-the-windows-10-recycle-bin/

       $Recycle.Bin Forensics for Windows 7 and Windows Vista, by Timothy R. Leschke
              https://pdfs.semanticscholar.org/db62/a02a2f90c569200bf37ead369221e04393d8.pdf

       INFO2 recycle bin file example, by Steve Hailey
              http://www.cyber-ssct.com/resources/INFO2.pdf

COPYRIGHT

       Part  of  the  work  of  rifiuti2  is  derived  from Rifiuti.  Both pieces of software are
       licensed under the simplified BSD license.

AUTHOR

       The main author of rifiuti2 is Abel Cheung <abelcheung@gmail.com>

       The original author of rifiuti is Keith J. Jones <keith.jones@foundstone.com>

       Anthony Wong <ypwong@debian.org> helped in Debian packaging and was author of the original
       manpage.