Provided by: rifiuti2_0.6.1-1_amd64 
NAME
rifiuti2 - MS Windows recycle bin analysis tool
SYNOPSIS
rifiuti [-hvz] [-x | [-8n] [-t delim]] [-l codepage] [-o outfile] filename
rifiuti-vista [-hvz] [-x | [-8n] [-t delim]] [-o outfile] file_or_directory
DESCRIPTION
Rifiuti2 analyse recycle bin files from Windows. Analysis of Windows recycle bin is
usually carried out during Windows computer forensics. Rifiuti2 can extract file deletion
time, original path and size of deleted files and whether the deleted files have been
moved out from the recycle bin since they are trashed.
Rifiuti2 supports a wide range of Windows versions, from Windows 98 to Windows 10. The
command used for analysis depends on the version of Windows producing the recycle bin (not
the version of users´ system!), which uses vastly different format before and after Vista:
• rifiuti-vista: For Vista or later, which is located in \$Recycle.bin\<SID>\. Each
deleted file has its own accompanied index file remembering the original path, file
size and deletion time. If original file is permanentsly deleted, so is the index
file.
• rifiuti: For Windows 98 to XP, which uses a single index file named INFO2 under
either \RECYCLED\ or \RECYCLER\<SID>\ (depending on filesystem). This file keeps
track record for deletion status and info for all deleted items, including those
permanently removed or restored.
By default, both programs dump tab-delimited fields on screen, which can be viewed on
screen or imported into spreadsheet program. -x option instructs program to dump XML
formatted content instead.
Index field has different meaning for pre-Vista and post-Vista versions. INFO2 has an
index number for each of deletion item indicating the chronological order of items. For
Vista version, it means the index file name instead, which matches pattern
“$Ixxxxxx.<ext>”, where x is random alphanumeric character.
Deleted time is represented in UTC time by default. Under tab-delimited mode, the original
date/time format is preserved, while in XML mode ISO 8601 date/time format is used. For
example, 3PM at 2014 X´mas represented in these modes would be respectively:
2014-12-25 15:00:00
2014-12-25T15:00:00Z
It would be easier for spreadsheet programs to interpret first format.
File size and file path are self-explanatory, but there are some special notes. File size
can mean the real size of deleted file, or the cluster size it occupies on filesystem,
depending on recycle bin format. File path might not always be displayable on local system
because it might contain characters from other localized version of Windows.
OPTIONS
-o, --output=FILE
Write output to FILE.
-x, --xml
Output in XML format instead of tab-delimited values. With XML mode, all plain
text options are disallowed, and result is always in UTF-8 encoding. See below for
plain text options.
-l, --legacy-filename=CODEPAGE
Show legacy filename if available (like “D:\Progra~1\”), and specify the CODEPAGE
used in the Windows system producing this INFO2 file. Any encodings supported by
iconv(1) can be used, though for maximum accuracy of file name results, it is
better to stick with Microsoft codepages (such as CP850 or CP1252 for west European
version, CP932 for Japanese, etc).
Note: This option is mandatory if INFO2 file is created by Windows 98. This option
does not exist in rifiuti-vista.
-z, --localtime
Present deletion time in numeric time zone of local system running the program. By
default, UTC time is displayed, which is the time value recorded in index files.
Using the X´mas example above, the time for Berlin (without daylight saving time)
would be 2014-12-25T16:00:00+0100 in ISO 8601 format.
Note: It is possible to use any timezone of users´ choice by setting $TZ
environment variable, though not recommended. See ENVIRONMENT VARIABLE section
below.
PLAIN TEXT OUTPUT OPTIONS
-t, --delimiter=STRING
String to use as delimiter (TAB by default). Several escaped characters are
recognised: \r (CARRIAGE RETURN), \n (NEW LINE), \t (TAB), \f (FORM FEED), \v
(VERTICAL TAB), \e (ESCAPE)
-n, --no-heading
Don´t show recycle bin path name, version and header for each field
-8, --always-utf8
Always display result in UTF-8 encoding
MISCELLANEOUS OPTIONS
-v, --version
Print version information and exit.
-h, --help
Show help options and exit.
--help-all
Show all help options and exit.
--help-text
Show plain text output options and exit.
EXAMPLES
rifiuti-vista -x -z -o result.xml \case\S-1-2-3\
Scan for index files under \case\S-1-2-3\, adjust all deletion time for local time
zone, and write XML output to result.xml
rifiuti-vista -n -8 \case\S-1-2-3\
Show tab-delimited result on screen in UTF-8 encoding without header
rifiuti-vista -t '\r\n' \case\S-1-2-3\$IF96NJ3.rtf
Only analyse a single index file and print each field in its own line
rifiuti -t ',' -o result.csv INFO2
Change tab-delimited result to comma-delimited and write to result.csv
rifiuti -l CP1255 -8 -n INFO2
Read INFO2 from Hebrew version of Windows, display 8.3 file names on screen in
UTF-8 encoding without header
ENVIRONMENT VARIABLES
The following environment variables affect execution of program:
CHARSET, LC_CTYPE
If recycle bin path contains non-ASCII character, these variables affect how they
are displayed. UTF-8 capable systems are recommended to set CHARSET=UTF-8 or use
appropriate UTF-8 values for LC_CTYPE explicitly, otherwise path might be displayed
in Universal Character Name sequences like \u1234.
RIFIUTI_DEBUG
Setting it to any non-empty value would cause programs to print more debugging
output to stderr.
TZ
If non-empty, indicate user-specified time zone when -z option is used. Normally
the time zone information is obtained from system and there is no need to set this
variable. However, it can be used as a facility to temporarily override timezone
for some programs, which can be used for situations like constructing timeline
event.
This value is OS dependent. For example, for timezone in Los Angeles, the value for
Windows is “PST8PDT”, while corresponding value on Linux would be
“America/Los_Angeles”. Please consult manual for your operating system for more
info.
Please see BUGS section below for problems when using this variable.
EXIT STATUS
Both programs return 0 on success, and >0 if error occurs.
However rifiuti-vista is more permissive: it still returns success if some (not all) of
index files are invalid.
HISTORY
Rifiuti2 is a rewrite of rifiuti, a tool of identical purpose written by Foundstone which
was later purchased by McAfee. Quoting from the original FoundStone page:
Many computer crime investigations require the reconstruction of a subject´s
Recycle Bin. Since this analysis technique is executed regularly, we researched the
structure of the data found in the Recycle Bin repository files (INFO2 files).
Rifiuti, the Italian word meaning "trash", was developed to examine the contents of
the INFO2 file in the Recycle Bin. ... Rifiuti is built to work on multiple
platforms and will execute on Windows (through Cygwin), Mac OS X, Linux, and *BSD
platforms.
However, since the original rifiuti (last updated 2004) can´t analyze recycle bin from any
localized version of Windows (restricted to English), this rewrite effort is born to
overcome the limitation. Later rifiuti2 was improved to add support for Vista format
recycle bin, XML output and other extra features not available from original version.
BUGS
In very special circumstance (which author can´t reproduce now), index file of certain
deleted item can be corrupt, causing incorrect deleted file size to be stored. There is no
way to report correct size. This problem shouldn´t happen after Vista though.
Handling of non-ASCII file argument is not satisfactory; it may not work in certain case
under MinGW bash.
Non-ASCII deleted item path name may not be always displayed appropriately, especially on
systems with non-UTF-8 locale (such as Windows cmd, where output is restricted to ANSI
codepages). Storing UTF-8 result into file with -8 or -x option and then opening it with
Unicode capable editor could be a solution.
The calculation of local time might not be correct. For example, documentation of _tzset()
function on Windows has this statement:
The C run-time library assumes the United States´ rules for implementing the
calculation of daylight saving time (DST).
Therefore the time might not be correct in case the files inside recycle bin are produced
on Windows using other countries as region settings. Besides, the difference between
standard time and DST is hardcoded to be one hour, which is incorrect for a few selected
regions.
So it is always better to use UTC time whenever possible.
REPORTING BUGS
Report bugs to
https://github.com/abelcheung/rifiuti2/issues
Information about rifiuti2 can be found on
https://abelcheung.github.io/rifiuti2/
SEE ALSO
Open Digital Evidence Search and Seizure Architecture project, which contains the original
rifiuti tool
http://odessa.sourceforge.net/
Forensics tools and other security related utilities originally written by FoundStone are
now available under McAfee´s own license.
http://www.mcafee.com/us/downloads/free-tools/index.aspx
Vista recycle bin file structure, by Abel Cheung
http://me.abelcheung.org/wp-content/uploads/2007/09/vista-recycle-bin-sample.pdf
INFO2 recycle bin file example, by Steve Hailey
http://www.csisite.net/downloads/INFO2.pdf
COPYRIGHT
Part of the work of rifiuti2 is derived from Rifiuti. Both pieces of software are
licensed under the simplified BSD license.
AUTHOR
The main author of rifiuti2 is Abel Cheung <abelcheung@gmail.com>
The original author of rifiuti is Keith J. Jones <keith.jones@foundstone.com>
Anthony Wong <ypwong@debian.org> helped in Debian packaging and was author of the original
manpage.