Digital Forensics 101: Parsing INFO2 Files via rifiuti2 In Windows XP and older NT-based operating systems, files deleted by users do not vanish immediately. Instead, the OS moves them to a hidden system folder named Recycler. Inside this folder, Windows creates a special metadata index file named INFO2.
For digital forensics investigators, this file is a goldmine of evidence. It tracks exactly when a user deleted a file and where that file originally lived.
One of the most efficient tools for extracting this data is rifiuti2. This guide covers the structure of INFO2 files and how to analyze them using rifiuti2. Understanding the INFO2 File Structure
When a file is sent to the Recycle Bin in older Windows versions, Windows renames the physical file (e.g., Dc1.txt) and updates the INFO2 file. The INFO2 file acts as a database containing critical pieces of forensic evidence:
Original File Path: The exact directory where the file existed before deletion.
Deletion Timestamp: The precise date and time the file was sent to the Recycle Bin.
Recycle Bin Index Number: The unique identifier mapping the metadata to the renamed physical file. Original File Size: The physical size of the record. Why Use rifiuti2?
While modern Windows systems (Windows 7 through Windows 11) use \(I</code> and <code>\)R files for individual recycling metadata, digital forensics professionals still frequently encounter legacy XP systems in industrial control networks, legacy corporate infrastructure, and older disk images.
rifiuti2 is an open-source, multi-platform forensic tool specifically rewritten to analyze these legacy recycle bin structures. It improves upon the original rifiuti tool by adding: Robust handling of corrupted index files.
Wide character (Unicode) support for international file paths.
Multiple output formats (XML, HTML, and tab-delimited text).
Clean integration into modern Linux forensics distributions like Kali Linux and SIFT. Step-by-Step Guide to Parsing INFO2 with rifiuti2 1. Locate the Target File
Mount your forensic image read-only. Navigate to the hidden Recycle Bin directory, typically located at:C:\RECYCLER<User-SID>\INFO2 2. Basic Command Execution
To parse the file and dump the output directly into your terminal window, use the primary rifiuti binary followed by the path to your target file: rifiuti INFO2 Use code with caution. 3. Export to Tab-Delimited Format for Analysis
Dumping output to a terminal is inefficient for large files. Export the parsed data into a spreadsheet-friendly format using the output flag: rifiuti -t -o spreadsheet_output.txt INFO2 Use code with caution. -t: Specifies tab-delimited format. -o: Designates the output file name. 4. Adjust for Time Zones
By default, forensic artifacts display timestamps in Coordinated Universal Time (UTC). If your investigation requires matching local system times, use the -z flag to shift the output timeline: rifiuti -z GMT+3 INFO2 Use code with caution. Analyzing the Output
Once parsed, the output presents a clean timeline of user activity. Investigators should look closely at three specific indicators:
Timeline Anomalies: Mass deletions within a short time frame often indicate an attempt to destroy evidence or wipe local data before an investigation.
Original Paths: Look for deleted items originating from temporary folders, hidden directories, or external USB drives.
Discrepancy in File Sizes: Cross-reference the original file size listed in the INFO2 record against the actual physical file remaining in the image to detect file tampering.
To help tailor this walkthrough for your specific investigation or lab setup, let me know:
What operating system you are running rifiuti2 on (Linux, Windows, macOS)?
If you need help resolving corrupted file errors during parsing?
Leave a Reply