Recycle Bin $I/$R Files

In modern versions of Windows, when a file is deleted, it is sent to the Recycle Bin first. Under the hood this constitutes the creation of two unique files prepended by $I and $R and appended with the original file's extension such as:

• $RMYY8AS.txt

• $IMYY8AS.txt

The $I file contains information about the deleted file. The $R file contains the full contents of that deleted file.

Analysis Value

Security Identifier

File Path

File Deletion

File Size

Operating System Availability

Major Version	Support	Major Version	Support
Windows 11	✅	Server 2019	✅
Windows 10	✅	Server 2016	✅
Windows 8	✅	Server 2012	✅
Windows 7	✅	Server 2008	✅
Windows Vista	✅	Server 2003	❌
Windows XP	❌

Artifact Location(s)

• C:\$Recycle.Bin\{USER_SID}

Artifact Parsers

• KAPE (Extraction and Parsing)

• RBCmd

Artifact Interpretation

The presence of this artifact indicates that a file was deleted and sent to the recycle bin.

The user who deleted the file will have their SID shown as the parent directory for the $I and $R files, for example:

• C:\$Recycle.Bin\S-1-5-21-3471133136-2963561160-3931775028-1000\$RMYY8AS.txt

• C:\$Recycle.Bin\S-1-5-21-3471133136-2963561160-3931775028-1000\$IMYY8AS.txt

In this case, S-1-5-21-3471133136-2963561160-3931775028-1000 is the User SID.

The $R file contains the full contents of the original deleted file.

The $I file contains the following data:

• Size of the original file

• Full path of the original file

• Deletion time and date