There are various ways of deleting a file/folder in Windows. Some of the common ones include:
- Delete key: Using the delete key on the keyboard sends the file/folder to the recycle bin.
- Right-click delete option: Also sends file/folder to the recycle bin
- Windows command line: Using the del command to delete files does NOT send them to the recycle bin. Rmdir command removes an empty directory or use /S option to remove a directory with files in it.
- Shift + Delete: Permanently deletes file/folder from computer.
It is important to note that when you delete a file, whether it appears in the recycle bin or not, the file is not actually deleted. The cluster/space it occupies on the hard drive is simply marked as free or unallocated and available for use. Until the actual 1s and 0s are overwritten, the file data is still available on the hard drive and can be retrieved by manual file carving.
Windows recycle bin feature allows users to easily review and restore deleted files and folders. For a forensic investigator, it can be a great source of information even after it has been emptied. There are two main ways recycle bin data is stored depending on the version of Windows in use.
From Windows 2000 onwards, a security identifier (SID) folder for each user on a machine was introduced in the recycle bin. When a file is deleted, an INFO2 file is created in Windows XP to store all the metadata on the deleted file and is stored in that specific user’s SID folder. The INFO2 file contains the original path, file size and deletion date for each deleted file.
$R[xxxxxx] and $I[xxxxxx] Files
From Windows Vista onwards, the parent folder $Recycle.Bin is used. When a file is deleted, two files are created in the recycle bin. The first file contains the actual deleted file. It begins with ‘$R’ followed by a random string. The second file starts with ‘$I’ followed by the same random string as it’s corresponding ‘$R’ file. It contains metadata for that specific deleted file.