June 08, 2026

Course 36 - Windows Forensics and Tools | Episode 10: Decoding Metadata and File Internals

22 minutes

In this lesson, you’ll learn about: Windows Recycle Bin forensics and deleted file recovery1. Why the Recycle Bin Matters in Forensics

Deleting a file in Windows does not immediately erase it
Instead, Windows:
- Moves it to a hidden system structure
- Renames it
- Keeps both metadata and data intact

🔹 Key Idea

The Recycle Bin is often a hidden evidence repository

2. Core Forensic Insight

Deleted files usually remain:
- On disk (physically intact)
- With modified references only

👉 Result:

Investigators can often recover:
- Files
- Paths
- Deletion timestamps

3. Legacy Windows Recycle Bin (Windows XP and earlier)🔹 Structure Used

INFO2 file
Stored inside:
- Recycler folder

🔹 What it contains

Original file path
File size
Deletion order

👉 Key Insight:

Acts as an index of deleted files

4. Modern Windows Recycle Bin (Vista → Windows 10)🔹 Structure Used

$Recycle.Bin

🔹 File Pair SystemEach deleted file creates two entries:

$R file
- Contains actual file data
$I file
- Contains metadata:
  - Original name
  - Path
  - Deletion timestamp

👉 Key Insight:

Data and metadata are split for tracking integrity

5. Windows 10 Forensic Markers🔹 Version Identification

$I file headers contain version indicators:
- 01 → older Windows versions
- 02 → Windows 10 era

🔹 Why it matters

Helps investigators determine:
- Operating system version
- Timeline of deletion activity

6. Hex-Level Analysis🔹 Tools used

Hex editors
Forensic analysis tools

🔹 What investigators extract

File paths
Deletion timestamps
File size metadata
Original filenames

👉 Key Insight:

Even “deleted” files can be reconstructed byte-by-byte

7. Forensic Workflow🔹 Step-by-step process

Access $Recycle.Bin
Match $R and $I files
Decode metadata
Reconstruct original file structure
Extract evidence

8. Investigative Value🔹 What can be recovered

Deleted documents
Malware payloads
Sensitive user files
Evidence of file wiping attempts

👉 Key Insight:

Attackers often forget the Recycle Bin still holds traces

Key Takeaways

Recycle Bin does not permanently delete data immediately
Legacy systems use INFO2 index files
Modern systems use $R and $I file pairs
Metadata and file content are separated
Hex analysis allows full reconstruction of deleted activity

Big PictureRecycle Bin forensics helps investigators:👉 Move from “deleted file” → “recoverable digital evidence”Mental Model

Delete action → Recycle Bin redirect → hidden storage → forensic recovery

You can listen and download our episodes for free on more than 10 different platforms:
https://linktr.ee/cybercode_academy

...more

View all episodes

By CyberCode Academy

June 08, 2026

Course 36 - Windows Forensics and Tools | Episode 10: Decoding Metadata and File Internals

22 minutes

In this lesson, you’ll learn about: Windows Recycle Bin forensics and deleted file recovery1. Why the Recycle Bin Matters in Forensics

Deleting a file in Windows does not immediately erase it
Instead, Windows:
- Moves it to a hidden system structure
- Renames it
- Keeps both metadata and data intact

🔹 Key Idea

The Recycle Bin is often a hidden evidence repository

2. Core Forensic Insight

Deleted files usually remain:
- On disk (physically intact)
- With modified references only

👉 Result:

Investigators can often recover:
- Files
- Paths
- Deletion timestamps

3. Legacy Windows Recycle Bin (Windows XP and earlier)🔹 Structure Used

INFO2 file
Stored inside:
- Recycler folder

🔹 What it contains

Original file path
File size
Deletion order

👉 Key Insight:

Acts as an index of deleted files

4. Modern Windows Recycle Bin (Vista → Windows 10)🔹 Structure Used

$Recycle.Bin

🔹 File Pair SystemEach deleted file creates two entries:

$R file
- Contains actual file data
$I file
- Contains metadata:
  - Original name
  - Path
  - Deletion timestamp

👉 Key Insight:

Data and metadata are split for tracking integrity

5. Windows 10 Forensic Markers🔹 Version Identification

$I file headers contain version indicators:
- 01 → older Windows versions
- 02 → Windows 10 era

🔹 Why it matters

Helps investigators determine:
- Operating system version
- Timeline of deletion activity

6. Hex-Level Analysis🔹 Tools used

Hex editors
Forensic analysis tools

🔹 What investigators extract

File paths
Deletion timestamps
File size metadata
Original filenames

👉 Key Insight:

Even “deleted” files can be reconstructed byte-by-byte

7. Forensic Workflow🔹 Step-by-step process

Access $Recycle.Bin
Match $R and $I files
Decode metadata
Reconstruct original file structure
Extract evidence

8. Investigative Value🔹 What can be recovered

Deleted documents
Malware payloads
Sensitive user files
Evidence of file wiping attempts

👉 Key Insight:

Attackers often forget the Recycle Bin still holds traces

Key Takeaways

Recycle Bin does not permanently delete data immediately
Legacy systems use INFO2 index files
Modern systems use $R and $I file pairs
Metadata and file content are separated
Hex analysis allows full reconstruction of deleted activity

Big PictureRecycle Bin forensics helps investigators:👉 Move from “deleted file” → “recoverable digital evidence”Mental Model

Delete action → Recycle Bin redirect → hidden storage → forensic recovery

You can listen and download our episodes for free on more than 10 different platforms:
https://linktr.ee/cybercode_academy

...more

Share Course 36 - Windows Forensics and Tools | Episode 10: Decoding Metadata and File Internals

Sign up to save your podcasts

Course 36 - Windows Forensics and Tools | Episode 10: Decoding Metadata and File Internals

Course 36 - Windows Forensics and Tools | Episode 10: Decoding Metadata and File Internals