Forensicsforensicswindowsrecycle-binanalysisdigital-forensics

rifiuti2

Rifiuti2 is a replacement for rifiuti, a MS Windows recycle bin analysis tool. It extracts file deletion time, original path, size of deleted files, and whether files have been moved out from the recycle bin.

Description

Rifiuti2 analyses recycle bin files from Windows, typically used during Windows computer forensics. It can extract critical metadata like file deletion time, original path, size of deleted files, and status of whether the deleted files have been moved out from the recycle bin since they were trashed.

Rifiuti2 is a rewrite of the original rifiuti tool, extended to cover more functionalities. It handles recycle bin formats up to Windows 10, as well as ancient versions like Windows 95, NT4, and ME. It supports all localized versions of Windows, including both Unicode-based and legacy ones using ANSI code pages, and provides output in XML format or original tab-delimited text.

The tool is designed to be portable and runs in command line environments. Two programs, rifiuti2 and rifiuti-vista, are used depending on the relevant Windows recycle bin format.

How It Works

Rifiuti2 parses INFO2 files for legacy Windows recycle bin formats and uses rifiuti-vista to parse index files in C:\$Recycle.Bin style folders for Vista and later versions. It extracts metadata such as deletion times (in UTC by default or local time with -z), original paths (including legacy 8.3 paths with codepage support), file sizes, and permanent deletion status. Output can be formatted as tab-delimited text or XML.

Installation

bash

sudo apt install rifiuti2

Flags

-h, --helpShow help options

--help-allShow all help options

--help-formatShow output formatting options

-o, --output=FILEWrite output to FILE

-z, --localtimePresent deletion time in time zone of local system (default is UTC)

-v, --versionPrint version information and exit

-l, --legacy-filename=CODEPAGEShow legacy (8.3) path if available and specify its CODEPAGE (rifiuti2 only)

--liveInspect live system (rifiuti-vista only)

Examples

Show help options for rifiuti-vista

rifiuti-vista -h

Parse index files in C:\$Recycle.bin style folder and dump recycle bin data

rifiuti-vista DIR_OR_FILE

Write output to specified file while parsing recycle bin data

rifiuti-vista -o output.txt DIR_OR_FILE

Present deletion time in local system time zone

rifiuti-vista -z DIR_OR_FILE

Inspect live system recycle bin

rifiuti-vista --live

Show help options for rifiuti2

rifiuti2 -h

Parse INFO2 file and dump recycle bin data

rifiuti2 INFO2

Show legacy 8.3 path with specified codepage while parsing INFO2

rifiuti2 -l 1252 INFO2

Updated 2026-04-16kali.org ↗