"In nearly all digital forensics cases where a Windows computer is involved, we need to process the recycle bin for deleted files. When a file is deleted through the recycle bin on a computer with the NTFS file system several things will occur. First the NTFS $MFT entry is updated with a new record number for a parent. Basically, that means its parent now becomes the Recycle Bin instead of it's original location. The second thing is that the file is given a new name. Instead of the original name it now becomes named $R with six random characters and the original file extension."
- DFIR Tools
- $I File Parser
$I File Parser
Forensic Utilities - Windows
There are no user comments for this listing.