Recycle Bin $I/$R Files
In modern versions of Windows, when a file is deleted, it is sent to the Recycle Bin first. Under the hood this constitutes the creation of two unique files prepended by $I and $R and appended with the original file's extension such as:
$RMYY8AS.txt$IMYY8AS.txt
The $I file contains information about the deleted file. The $R file contains the full contents of that deleted file.
Analysis Value
pageSecurity IdentifierpageFile PathpageFile DeletionpageFile SizeOperating System Availability
| Major Version | Support | Major Version | Support |
|---|---|---|---|
Windows 11 | ✅ | Server 2019 | ✅ |
Windows 10 | ✅ | Server 2016 | ✅ |
Windows 8 | ✅ | Server 2012 | ✅ |
Windows 7 | ✅ | Server 2008 | ✅ |
Windows Vista | ✅ | Server 2003 | ❌ |
Windows XP | ❌ |
Artifact Location(s)
C:\$Recycle.Bin\{USER_SID}
Artifact Parsers
KAPE (Extraction and Parsing)
Artifact Interpretation
The presence of this artifact indicates that a file was deleted and sent to the recycle bin.
The user who deleted the file will have their SID shown as the parent directory for the $I and $R files, for example:
C:\$Recycle.Bin\S-1-5-21-3471133136-2963561160-3931775028-1000\$RMYY8AS.txtC:\$Recycle.Bin\S-1-5-21-3471133136-2963561160-3931775028-1000\$IMYY8AS.txt
In this case, S-1-5-21-3471133136-2963561160-3931775028-1000 is the User SID.
The $R file contains the full contents of the original deleted file.
The $I file contains the following data:
Size of the original file
Full path of the original file
Deletion time and date
Last updated