Recycle Bin has 2 major formats, which can be roughly divided as “before Vista” and “after Vista”.
<sid> below stands for Security Identifier, which uniquely
associates an ID with account or group on a system.
Though widely known as
INFO2 file, it is actually named
for Windows 95 and NT 4.0. This hidden file contains relevant
meta info for all deleted items. Its location varies with
different file system (using C drive as example):
Since Windows 98, metadata about permanently purged items or
restored items would be kept inside
Researched info about this older format had been widely circulated 1, but they generally covers Windows XP/2003 only, which is a bit different from earlier Windows (95, 98, ME, etc). With the kind permission of rifiuti author, a copy of PDF about forensic analysis of INFO2 format is hosted on this website. This is one of the most authorative source about INFO2 file format.
For this format, recycle bin folder is located in
C:\$Recycle.bin\<sid> (C drive as example).
Deletion info for recycled files are
not stored in single file. Instead, each recycled file has its own
accompanied index file with very similar name. For example, if a
PNG image is deleted, the deleted file name and its index would
look like this inside recycle bin folder:
|File name of|
When deleted item is permanently purged, the corresponding index file would be removed too. However, if deleted item is restored, index file would be kept intact.
One of the most widely used reference is from Cybersecurity Institute
www.csisite.net/INFO2.htm. But it was taken down by new owner, and sadly permanently lost in internet history, not even available from Internet Archive. Luckily many other references are still available, though their presentations (and glitches) may vary from site to site. ↩