Thursday, January 3, 2013

Backtrack Forensics: rifiuti2

rifiuti2 is a tool to analyze Windows recycle bin INFO2 files, where the OS stores the recovery information of the deleted files. The INFO2 file was discontinued from Vista, and the restore information is stored in files inside the recycle bin. The rifiuti-vista tool supports the new format.

Two good articles about the MS Windows recycle bin:

Using the app is very simple:

rifiuti2 INFO2

-x - we can display the output in XML
-o - we can write the output to a file

rifiuti-vista win7recycle/

Here we have similar options, and we can also specify a directory as an input (as the restore information found in multiple files).

