RecycleBin
Windows RecycleBin
is a special folder on Windows that stores files deleted
using the Explorer GUI. When a file is deleted (via Explorer) two types files
are generated in the RecycleBin
:
- Files that begin with
$I<number>.<original extension>
. Contains metadata about deleted file - Files that begin with
$R<number>.<original extension>
. Contents of deleted file
Currently artemis supports parsing the $I
based files using the standard
Windows APIs to read the file for parsing. It does not try to recover files that
have been deleted/emptied from the RecycleBin
Other parsers:
References:
TOML Collection
system = "windows"
[output]
name = "recyclebin_collection"
directory = "./tmp"
format = "jsonl"
compress = false
endpoint_id = "6c51b123-1522-4572-9f2a-0bd5abd81b82"
collection_id = 1
output = "local"
[[artifacts]]
artifact_name = "recyclebin"
[artifacts.recyclebin]
# alt_file = "C:\\Artifacts\\$IAC12F"
Collection Options
alt_file
Full path to alternative RecycleBin file. This configuration is optional. By default artemis will parse all RecycleBin files on the system
Output Structure
An array of RecycleBin
entries
export interface RecycleBin {
/**Size of deleted file */
size: number;
/**Deleted timestamp of file */
deleted: string;
/**Name of deleted file */
filename: string;
/**Full path to the deleted file */
full_path: string;
/**Directory associated with deleted file */
directory: string;
/**SID associated with the deleted file */
sid: string;
/**Path to the file in the Recycle Bin */
recycle_path: string;
}