.\"- .\" Man page for rifiuti2 .\" .\" Copyright (c) 2008 Anthony Wong .\" Copyrgith (c) 2015 Abel Cheung .\" .\" This documentation is available under BSD 3-clause license. .\" . ie \n[www-html] \{\ .\" see groff_www(7) .BCL black #bbffee blue blue #302226 .TH "RIFIUTI2 0.6.1" "1" .SH INSTALLATION ON WINDOWS \fBRifiuti2\fP is designed to run as portable Windows command line application, and no installation is required. Copy the binaries corresponding to your system (\fCx64\\\fP for 64 bit systems, \fCx86\\\fP for 32 bit) to any folder of your choice and they are ready for use. Read sections below on how to use the programs. .SS Translation By default output messages of rifiuti2 are in English. Optionally one can copy .nh \fCrifiuti\-l10n\fP .hy folder to the same location the binaries reside in, and set \fCLANGUAGE\fP environment variable to appropriate value to enable translations. Supported language codes are the same as existing subdirectory names under .nh \fCrifiuti\-l10n\fP .hy folder. For example, assuming folder .nh \fCrifiuti\-l10n\\fr\\\fP .hy exists, running following in Windows \fCcmd\fP would enable French translation: .RS \fCset LANGUAGE=fr\fP .RE The file \fCrifiuti.pot\fP in archive contains translation template for rifiuti2. Rifiuti2 makes use of \f[CB]gettext\fP for handling translation. There are lots of tutorial on internet on how to work with gettext translations; any completed translation can be submitted to main author for inclusion in next release. .SH LATEST CHANGE ####CHANGELOG#### .PP Changes for previous versions are available from .RS https://github.com/abelcheung/rifiuti2/blob/master/NEWS.md .RE . \} . el \{\ .TH RIFIUTI2 "1" "May 2015" "0.6.1" "MS Windows recycle bin analysis tool" .SH NAME rifiuti2 \- MS Windows recycle bin analysis tool . \} .SH SYNOPSIS .B rifiuti .RB [ \-hvz ] .RB [ \-x " |" .RB [ \-8n ] .RB [ \-t .IR delim "]]" .RB [ \-l .IR codepage ] .RB [ \-o .IR outfile ] .I filename .B rifiuti-vista .RB [ \-hvz ] .RB [ \-x " |" .RB [ \-8n ] .RB [ \-t .IR delim "]]" .RB [ \-o .IR outfile ] .I file_or_directory .SH DESCRIPTION Rifiuti2 analyse recycle bin files from Windows. Analysis of Windows recycle bin is usually carried out during Windows computer forensics. Rifiuti2 can extract file deletion time, original path and size of deleted files and whether the deleted files have been moved out from the recycle bin since they are trashed. .PP Rifiuti2 supports a wide range of Windows versions, from Windows 98 to Windows 10. The command used for analysis depends on the version of Windows producing the recycle bin (\fBnot the version of users\' system!\fP), which uses vastly different format before and after Vista: .PP .IP \[bu] \fCrifiuti-vista\fP: For Vista or later, which is located in .nh \fC\\$Recycle.bin\\\fP\fI\fP\fC\\\fP. .hy Each deleted file has its own accompanied index file remembering the original path, file size and deletion time. If original file is permanentsly deleted, so is the index file. .IP \[bu] \fCrifiuti\fP: For Windows 98 to XP, which uses a single index file named INFO2 under either .nh \fC\\RECYCLED\\\fP .hy or .nh \fC\\RECYCLER\\\fP\fI\fP\fC\\\fP .hy (depending on filesystem). This file keeps track record for deletion status and info for \fIall\fP deleted items, including those permanently removed or restored. .PP By default, both programs dump tab-delimited fields on screen, which can be viewed on screen or imported into spreadsheet program. \fB\-x\fP option instructs program to dump XML formatted content instead. .PP Index field has different meaning for pre-Vista and post-Vista versions. INFO2 has an index number for each of deletion item indicating the chronological order of items. For Vista version, it means the index file name instead, which matches pattern \(lq$I\fBxxxxxx\fP.\fI\fP\(rq, where \fBx\fP is random alphanumeric character. .PP Deleted time is represented in UTC time by default. Under tab-delimited mode, the original date/time format is preserved, while in XML mode ISO 8601 date/time format is used. For example, 3PM at 2014 X\'mas represented in these modes would be respectively: .RS \fC2014-12-25 15:00:00\fP .RE .RS \fC2014-12-25T15:00:00Z\fP .RE It would be easier for spreadsheet programs to interpret first format. .PP File size and file path are self-explanatory, but there are some special notes. File size can mean the real size of deleted file, or the cluster size it occupies on filesystem, depending on recycle bin format. File path might not always be displayable on local system because it might contain characters from other localized version of Windows. .SH OPTIONS .TP \fB\-o\fP, \fB\-\-output\fP=\fI\,FILE\/\fP Write output to FILE. .TP \fB\-x\fP, \fB\-\-xml\fP Output in XML format instead of tab\-delimited values. With XML mode, all plain text options are disallowed, and result is always in UTF-8 encoding. See below for plain text options. .TP \fB\-l\fP, \fB\-\-legacy\-filename\fP=\fI\,CODEPAGE\/\fP Show legacy filename if available (like \(lq\fCD:\\Progra~1\\\fP\(rq), and specify the CODEPAGE used in the Windows system producing this INFO2 file. Any encodings supported by \fBiconv\fP(1) can be used, though for maximum accuracy of file name results, it is better to stick with Microsoft codepages (such as CP850 or CP1252 for west European version, CP932 for Japanese, etc). .RS \fBNote\fP: This option is mandatory if INFO2 file is created by Windows 98. This option does not exist in \fCrifiuti-vista\fP. .RE .TP \fB\-z\fP, \fB\-\-localtime\fP Present deletion time in numeric time zone of local system running the program. By default, UTC time is displayed, which is the time value recorded in index files. Using the X\'mas example above, the time for Berlin (without daylight saving time) would be \fC2014-12-25T16:00:00+0100\fP in ISO 8601 format. .RS \fBNote\fP: It is possible to use any timezone of users\' choice by setting $TZ environment variable, though not recommended. See \fBENVIRONMENT VARIABLE\fP section below. .RE .SS PLAIN TEXT OUTPUT OPTIONS .TP \fB\-t\fP, \fB\-\-delimiter\fP=\fI\,STRING\/\fP String to use as delimiter (TAB by default). Several escaped characters are recognised: \\r (CARRIAGE RETURN), \\n (NEW LINE), \\t (TAB), \\f (FORM FEED), \\v (VERTICAL TAB), \\e (ESCAPE) .TP \fB\-n\fP, \fB\-\-no\-heading\fP Don\'t show recycle bin path name, version and header for each field .TP \fB\-8\fP, \fB\-\-always\-utf8\fP Always display result in UTF\-8 encoding .PP .SS MISCELLANEOUS OPTIONS .TP \fB\-v\fP, \fB\-\-version\fP Print version information and exit. .TP \fB\-h\fP, \fB\-\-help\fP Show help options and exit. .TP \fB\-\-help\-all\fP Show all help options and exit. .TP \fB\-\-help\-text\fP Show plain text output options and exit. .PP .SH EXAMPLES .TP \fCrifiuti-vista \-x \-z \-o result.xml \\case\\S\-1\-2\-3\\\fP .RS Scan for index files under \\case\\S\-1\-2\-3\\, adjust all deletion time for local time zone, and write XML output to result.xml .RE .TP \fCrifiuti-vista \-n \-8 \\case\\S\-1\-2\-3\\\fP Show tab-delimited result on screen in UTF-8 encoding without header .TP \fCrifiuti-vista -t '\\r\\n' \\case\\S\-1\-2\-3\\$IF96NJ3.rtf\fP Only analyse a single index file and print each field in its own line .TP \fCrifiuti \-t ',' -o result.csv INFO2\fP Change tab-delimited result to comma-delimited and write to result.csv .TP \fCrifiuti \-l CP1255 \-8 \-n INFO2\fP .RS Read INFO2 from Hebrew version of Windows, display 8.3 file names on screen in UTF-8 encoding without header .RE .SH ENVIRONMENT VARIABLES The following environment variables affect execution of program: .TP \fBCHARSET\fP, \fBLC_CTYPE\fP .RS If recycle bin path contains non-ASCII character, these variables affect how they are displayed. UTF-8 capable systems are recommended to set .nh \fCCHARSET=UTF-8\fP .hy or use appropriate UTF-8 values for \fCLC_CTYPE\fP explicitly, otherwise path might be displayed in Universal Character Name sequences like \\u1234. .RE .TP \fBRIFIUTI_DEBUG\fP .RS Setting it to any non-empty value would cause programs to print more debugging output to stderr. .RE .TP \fBTZ\fP .RS If non-empty, indicate user-specified time zone when \fB\-z\fP option is used. Normally the time zone information is obtained from system and there is no need to set this variable. However, it can be used as a facility to temporarily override timezone for some programs, which can be used for situations like constructing timeline event. .PP This value is OS dependent. For example, for timezone in Los Angeles, the value for Windows is \(lqPST8PDT\(rq, while corresponding value on Linux would be \(lqAmerica/Los_Angeles\(rq. Please consult manual for your operating system for more info. .PP Please see \fBBUGS\fP section below for problems when using this variable. .RE .SH EXIT STATUS Both programs return 0 on success, and >0 if error occurs. .PP However \fCrifiuti-vista\fP is more permissive: it still returns success if \fIsome\fP (not all) of index files are invalid. .SH HISTORY \fIRifiuti2\fP is a rewrite of \fIrifiuti\fP, a tool of identical purpose written by Foundstone which was later purchased by McAfee. Quoting from the original FoundStone page: .RS Many computer crime investigations require the reconstruction of a subject\'s Recycle Bin. Since this analysis technique is executed regularly, we researched the structure of the data found in the Recycle Bin repository files (INFO2 files). Rifiuti, the Italian word meaning "trash", was developed to examine the contents of the INFO2 file in the Recycle Bin. ... Rifiuti is built to work on multiple platforms and will execute on Windows (through Cygwin), Mac OS X, Linux, and *BSD platforms. .RE .PP However, since the original rifiuti (last updated 2004) can\'t analyze recycle bin from any localized version of Windows (restricted to English), this rewrite effort is born to overcome the limitation. Later rifiuti2 was improved to add support for Vista format recycle bin, XML output and other extra features not available from original version. .SH BUGS In very special circumstance (which author can\'t reproduce now), index file of certain deleted item can be corrupt, causing incorrect deleted file size to be stored. There is no way to report correct size. This problem shouldn\'t happen after Vista though. .PP Handling of non-ASCII file argument is not satisfactory; it may not work in certain case under MinGW bash. .PP Non-ASCII deleted item path name may not be always displayed appropriately, especially on systems with non-UTF-8 locale (such as Windows \fBcmd\fP, where output is restricted to ANSI codepages). Storing UTF-8 result into file with \fB\-8\fP or \fB\-x\fP option and then opening it with Unicode capable editor could be a solution. .PP The calculation of local time might not be correct. For example, documentation of _tzset() function on Windows has this statement: .RS The C run-time library assumes the United States\' rules for implementing the calculation of daylight saving time (DST). .RE Therefore the time might not be correct in case the files inside recycle bin are produced on Windows using other countries as region settings. Besides, the difference between standard time and DST is hardcoded to be one hour, which is incorrect for a few selected regions. .PP So it is always better to use UTC time whenever possible. .SH REPORTING BUGS Report bugs to .\" The whole link and text would disappear when using .\" ascii driver, So have to use if/else . ie \n[www-html] \{\ .\" Using .IP doesn't work, URL is emitted before it .RS .URL https://github.com/abelcheung/rifiuti2/issues .RE . \} . el \{\ .IP https://github.com/abelcheung/rifiuti2/issues . \} .PP Information about rifiuti2 can be found on . ie \n[www-html] \{\ .RS .URL https://abelcheung.github.io/rifiuti2/ .RE . \} . el \{\ .IP https://abelcheung.github.io/rifiuti2/ . \} .SH SEE ALSO . ie \n[www-html] \{\ .PP .URL http://odessa.sourceforge.net/ "Open Digital Evidence Search and Seizure Architecture project" , which contains the original rifiuti tool .PP Forensics tools and other security related utilities .URL http://www.mcafee.com/us/downloads/free-tools/index.aspx "originally written by FoundStone" are now available under McAfee\'s own license .PP .URL http://me.abelcheung.org/wp-content/uploads/2007/09/vista-recycle-bin-sample.pdf "Vista recycle bin file structure" , by Abel Cheung .PP .URL http://www.csisite.net/downloads/INFO2.pdf "INFO2 recycle bin file example" , by Steve Hailey . \} . el \{\ .TP Open Digital Evidence Search and Seizure Architecture project, which contains the original rifiuti tool http://odessa.sourceforge.net/ .TP Forensics tools and other security related utilities originally written by FoundStone are now available under McAfee\'s own license. http://www.mcafee.com/us/downloads/free-tools/index.aspx .TP Vista recycle bin file structure, by Abel Cheung http://me.abelcheung.org/wp-content/uploads/2007/09/vista-recycle-bin-sample.pdf .TP INFO2 recycle bin file example, by Steve Hailey http://www.csisite.net/downloads/INFO2.pdf . \} .PP .SH COPYRIGHT Part of the work of rifiuti2 is derived from Rifiuti. Both pieces of software are licensed under the simplified BSD license. .SH AUTHOR The main author of rifiuti2 is Abel Cheung .nh \fC\fP .hy .PP The original author of rifiuti is Keith J. Jones .nh \fC\fP .hy .PP Anthony Wong .nh \fC\fP .hy helped in Debian packaging and was author of the original manpage.