In-depth knowledge about recycle bin

Recycle Bin has 2 major formats, which can be roughly divided as “before Vista” and “after Vista”.

Note: <sid> below stands for Security Identifier, which uniquely associates an ID with account or group on a system.

Before: INFO2 file

Though widely known as INFO2 file, it is actually named INFO for Windows 95 and NT 4.0. This hidden file contains relevant meta info for all deleted items. Its location varies with different file system (using C drive as example):

Location Filesystem

Since Windows 98, metadata about permanently purged items or restored items would be kept inside INFO2.

Researched info about this older format had been widely circulated 1, but they generally covers Windows XP/2003 only, which is a bit different from earlier Windows (95, 98, ME, etc). With the kind permission of rifiuti author, a copy of PDF about forensic analysis of INFO2 format is hosted on this website. This is one of the most authorative source about INFO2 file format.

After: $Recycle.bin folder

For this format, recycle bin folder is located in C:\$Recycle.bin\<sid> (C drive as example). Deletion info for recycled files are not stored in single file. Instead, each recycled file has its own accompanied index file with very similar name. For example, if a PNG image is deleted, the deleted file name and its index would look like this inside recycle bin folder:

File name of  
Deleted Item $RDNLPD4.png
Index $IDNLPD4.png

When deleted item is permanently purged, the corresponding index file would be removed too. However, if deleted item is restored, index file would be kept intact.

  1. One of the most widely used reference is from Cybersecurity Institute But it was taken down by new owner, and sadly permanently lost in internet history, not even available from Internet Archive. Luckily many other references are still available, though their presentations (and glitches) may vary from site to site.