Rifiuti2 - Windows Recycle Bin Analyser
Rifiuti2
is a for analyzing Windows Recycle Bin INFO2 file. Analysis of Windows Recycle Bin is unremarkably carried out during Windows reckoner forensics. Rifiuti2
tin extract file deletion time, original path in addition to size of deleted files in addition to whether the trashed files convey been permanently removed. For those interested inward what it does, in addition to what functionality it provides, delight check out official site for to a greater extent than info. Latest features in addition to changes tin hold upwardly flora inward NEWS file.
Special banking concern complaint for 0.7.0
- Windows binaries volition hold upwardly automatically built from Appveyor in addition to published to Github.
- Systems supporting UTF-8 encoding is mandatory, except on Windows console (file output is also inward UTF-8). This shouldn't hold upwardly problematic though, every bit UTF-8 locale is pretty much touchstone for Linux in addition to macOS these years. On Windows front, at that topographic point are already many featureful text editors capable of opening UTF-8 unicode text files.
- As a result,
-8
choice is obsolete in addition to no to a greater extent than affects output inward whatsoever way.
Usage
rifiuti2
is designed to hold upwardly portable, in addition to runs on command line environment. Depending on relevant Windows recycle bin format, at that topographic point are two binaries to select from (most users would desire start one):Program | Recycle bin from OS | Purpose |
---|---|---|
rifiuti-vista | Vista – Win10 | Scans \$Recycle.bin mode folder |
rifiuti | Win95 – XP/2003 | Reads INFO or INFO2 file inward \RECYCLED or \RECYCLER folder |
Run programs without whatsoever choice for to a greater extent than detail. Here are around to a greater extent than ofttimes used options:
Option | Purpose |
---|---|
-o | Output to file |
-x | Output XML instead of tab-separated fields |
-l | Display legacy (8.3) filenames in addition to specify its codepage |
Please consult manpage (Unix) or README.html (bundled alongside Windows binaries) for consummate options in addition to detailed usage description.
Examples
rifiuti-vista.exe -x -z -o result.xml \case\S-1-2-3\
Scan for index files nether\case\S-1-2-3\
, accommodate all deletion fourth dimension for local fourth dimension zone, in addition to write XML output toresult.xml
rifiuti -l CP932 -t "\n" INFO2
Assume INFO2 file is generated from Japanese Windows (codepage 932), in addition to display each land work past times line, instead of separated past times tab
Supported platform
It has been tested on Linux, Windows vii in addition to FreeBSD. Some testing on large endian platforms are done alongside Qemu emulator. More compatibility gain for other architectures welcome.
Download
Windows
Windows binaries are officially provided on Github release page.
Note that 0.6.1 version is the terminal version that tin run on Windows XP in addition to 2003; upcoming versions would quest Vista or above.
Linux
- DEB packages available officially on Debian in addition to Ubuntu, therefore also available on close (if non all) derivatives focusing on safety in addition to forensics, such every bit (this is incomplete list):
- Kali Linux
- Deft X Virtual Appliance
- BackBox Linux
- RPM packages from Linux Forensics Tools Repository (LiFTeR) tin hold upwardly used on Fedora, in addition to rattling probable CentOS in addition to RHEL.
- ArchStrike (formerly ArchAssault), a penetration testing derivative of Arch Linux, has
rifiuti2
packaged since belatedly 2014.
FreeBSD
Official FreeBSD port is available since 8.4.
Others (Compile from source)
For OS where
rifiuti2
is non readily available, it is ever possible to compile from source.rifiuti2
follows the park autotools
based procedure:./configure && brand cheque && brand install