Forensicsforensicswindowsrecycle-bininfo2

rifiuti

Rifiuti is a tool to examine INFO2 files from the MS Windows recycle bin, providing meta information about deleted files. It is useful in forensics investigations.

Description

Rifiuti is a specialized tool for analyzing the INFO2 files found in the MS Windows recycle bin. These INFO2 files contain metadata about files that have been deleted and moved to the recycle bin, such as original paths, deletion dates, and file sizes.

The tool is particularly valuable in digital forensics investigations where recovering information about deleted files is crucial. Investigators can use Rifiuti to extract this metadata, helping to reconstruct user activity and identify potentially relevant evidence that might otherwise be overlooked.

By parsing the binary format of INFO2 files, Rifiuti presents the data in a readable format, facilitating analysis without manual decoding.

How It Works

Rifiuti reads and parses the binary INFO2 file format used by MS Windows recycle bins to store metadata about deleted files. It extracts fields such as file names, original locations, deletion timestamps, and sizes, outputting them in a delimited text format for analysis.

Installation

bash

sudo apt install rifiuti

Flags

-dField Delimiter (TAB by default)

Examples

Display help and usage information for the tool

rifiuti -h

Extract information from the specified INFO2 file using default TAB delimiter

rifiuti <filename>

Extract information from INFO2 file using comma as field delimiter

rifiuti -d ',' <filename>

Analyze a typical Windows XP recycle bin INFO2 file

rifiuti /path/to/RECYCLER/INFO2

Parse INFO2 file with pipe delimiter for custom output formatting

rifiuti -d '|' $RECYCLER/INFO2

Show help for rifiuti2, the advanced version for newer Windows systems

rifiuti2 -h

Updated 2026-04-16kali.org ↗