EnglishFrenchSpanish

OnWorks favicon

rifiuti2 - Online in the Cloud

Run rifiuti2 in OnWorks free hosting provider over Ubuntu Online, Fedora Online, Windows online emulator or MAC OS online emulator

This is the command rifiuti2 that can be run in the OnWorks free hosting provider using one of our multiple free online workstations such as Ubuntu Online, Fedora Online, Windows online emulator or MAC OS online emulator

PROGRAM:

NAME


rifiuti2 - MS Windows recycle bin analysis tool

SYNOPSIS


rifiuti [-hvz] [-x | [-8n] [-t delim]] [-l codepage] [-o outfile] filename

rifiuti-vista [-hvz] [-x | [-8n] [-t delim]] [-o outfile] file_or_directory

DESCRIPTION


Rifiuti2 analyse recycle bin files from Windows. Analysis of Windows recycle bin is
usually carried out during Windows computer forensics. Rifiuti2 can extract file deletion
time, original path and size of deleted files and whether the deleted files have been
moved out from the recycle bin since they are trashed.

Rifiuti2 supports a wide range of Windows versions, from Windows 98 to Windows 10. The
command used for analysis depends on the version of Windows producing the recycle bin (not
the version of users´ system!), which uses vastly different format before and after Vista:

· rifiuti-vista: For Vista or later, which is located in \$Recycle.bin\<SID>\. Each
deleted file has its own accompanied index file remembering the original path, file
size and deletion time. If original file is permanentsly deleted, so is the index
file.

· rifiuti: For Windows 98 to XP, which uses a single index file named INFO2 under
either \RECYCLED\ or \RECYCLER\<SID>\ (depending on filesystem). This file keeps
track record for deletion status and info for all deleted items, including those
permanently removed or restored.

By default, both programs dump tab-delimited fields on screen, which can be viewed on
screen or imported into spreadsheet program. -x option instructs program to dump XML
formatted content instead.

Index field has different meaning for pre-Vista and post-Vista versions. INFO2 has an
index number for each of deletion item indicating the chronological order of items. For
Vista version, it means the index file name instead, which matches pattern
“$Ix.<ext>”, where x is random alphanumeric character.

Deleted time is represented in UTC time by default. Under tab-delimited mode, the original
date/time format is preserved, while in XML mode ISO 8601 date/time format is used. For
example, 3PM at 2014 X´mas represented in these modes would be respectively:
2014-12-25 15:00:00
2014-12-25T15:00:00Z
It would be easier for spreadsheet programs to interpret first format.

File size and file path are self-explanatory, but there are some special notes. File size
can mean the real size of deleted file, or the cluster size it occupies on filesystem,
depending on recycle bin format. File path might not always be displayable on local system
because it might contain characters from other localized version of Windows.

OPTIONS


-o, --output=FILE
Write output to FILE.

-x, --xml
Output in XML format instead of tab-delimited values. With XML mode, all plain
text options are disallowed, and result is always in UTF-8 encoding. See below for
plain text options.

-l, --legacy-filename=CODEPAGE
Show legacy filename if available (like “D:\Progra~1\”), and specify the CODEPAGE
used in the Windows system producing this INFO2 file. Any encodings supported by
iconv(1) can be used, though for maximum accuracy of file name results, it is
better to stick with Microsoft codepages (such as CP850 or CP1252 for west European
version, CP932 for Japanese, etc).

Note: This option is mandatory if INFO2 file is created by Windows 98. This option
does not exist in rifiuti-vista.

-z, --localtime
Present deletion time in numeric time zone of local system running the program. By
default, UTC time is displayed, which is the time value recorded in index files.
Using the X´mas example above, the time for Berlin (without daylight saving time)
would be 2014-12-25T16:00:00+0100 in ISO 8601 format.

Note: It is possible to use any timezone of users´ choice by setting $TZ
environment variable, though not recommended. See ENVIRONMENT VARIABLE section
below.

PLAIN TEXT OUTPUT OPTIONS
-t, --delimiter=STRING
String to use as delimiter (TAB by default). Several escaped characters are
recognised: \r (CARRIAGE RETURN), \n (NEW LINE), \t (TAB), \f (FORM FEED), \v
(VERTICAL TAB), \e (ESCAPE)

-n, --no-heading
Don´t show recycle bin path name, version and header for each field

-8, --always-utf8
Always display result in UTF-8 encoding

MISCELLANEOUS OPTIONS
-v, --version
Print version information and exit.

-h, --help
Show help options and exit.

--help-all
Show all help options and exit.

--help-text
Show plain text output options and exit.

EXAMPLES


rifiuti-vista -x -z -o result.xml \case\S-1-2-3\
Scan for index files under \case\S-1-2-3\, adjust all deletion time for local time
zone, and write XML output to result.xml

rifiuti-vista -n -8 \case\S-1-2-3\
Show tab-delimited result on screen in UTF-8 encoding without header

rifiuti-vista -t '\r\n' \case\S-1-2-3\$IF96NJ3.rtf
Only analyse a single index file and print each field in its own line

rifiuti -t ',' -o result.csv INFO2
Change tab-delimited result to comma-delimited and write to result.csv

rifiuti -l CP1255 -8 -n INFO2
Read INFO2 from Hebrew version of Windows, display 8.3 file names on screen in
UTF-8 encoding without header

ENVIRONMENT VARIABLES


The following environment variables affect execution of program:

CHARSET, LC_CTYPE
If recycle bin path contains non-ASCII character, these variables affect how they
are displayed. UTF-8 capable systems are recommended to set CHARSET=UTF-8 or use
appropriate UTF-8 values for LC_CTYPE explicitly, otherwise path might be displayed
in Universal Character Name sequences like \u1234.

RIFIUTI_DEBUG
Setting it to any non-empty value would cause programs to print more debugging
output to stderr.

TZ
If non-empty, indicate user-specified time zone when -z option is used. Normally
the time zone information is obtained from system and there is no need to set this
variable. However, it can be used as a facility to temporarily override timezone
for some programs, which can be used for situations like constructing timeline
event.

This value is OS dependent. For example, for timezone in Los Angeles, the value for
Windows is “PST8PDT”, while corresponding value on Linux would be
“America/Los_Angeles”. Please consult manual for your operating system for more
info.

Please see BUGS section below for problems when using this variable.

EXIT STATUS


Both programs return 0 on success, and >0 if error occurs.

However rifiuti-vista is more permissive: it still returns success if some (not all) of
index files are invalid.

HISTORY


Rifiuti2 is a rewrite of rifiuti, a tool of identical purpose written by Foundstone which
was later purchased by McAfee. Quoting from the original FoundStone page:

Many computer crime investigations require the reconstruction of a subject´s
Recycle Bin. Since this analysis technique is executed regularly, we researched the
structure of the data found in the Recycle Bin repository files (INFO2 files).
Rifiuti, the Italian word meaning "trash", was developed to examine the contents of
the INFO2 file in the Recycle Bin. ... Rifiuti is built to work on multiple
platforms and will execute on Windows (through Cygwin), Mac OS X, Linux, and *BSD
platforms.

However, since the original rifiuti (last updated 2004) can´t analyze recycle bin from any
localized version of Windows (restricted to English), this rewrite effort is born to
overcome the limitation. Later rifiuti2 was improved to add support for Vista format
recycle bin, XML output and other extra features not available from original version.

Use rifiuti2 online using onworks.net services


Free Servers & Workstations

Download Windows & Linux apps

  • 1
    itop - ITSM  CMDB OpenSource
    itop - ITSM CMDB OpenSource
    IT Operations Portal: a complete open
    source, ITIL, web based service
    management tool including a fully
    customizable CMDB, a helpdesk system and
    a document man...
    Download itop - ITSM CMDB OpenSource
  • 2
    Clementine
    Clementine
    Clementine is a multi-platform music
    player and library organizer inspired by
    Amarok 1.4. It has a fast and
    easy-to-use interface, and allows you to
    search and ...
    Download Clementine
  • 3
    XISMuS
    XISMuS
    ATTENTION: Cumulative update 2.4.3 has
    been released!! The update works for any
    previous 2.x.x version. If upgrading
    from version v1.x.x, please download and
    i...
    Download XISMuS
  • 4
    facetracknoir
    facetracknoir
    Modular headtracking program that
    supports multiple face-trackers, filters
    and game-protocols. Among the trackers
    are the SM FaceAPI, AIC Inertial Head
    Tracker ...
    Download facetracknoir
  • 5
    PHP QR Code
    PHP QR Code
    PHP QR Code is open source (LGPL)
    library for generating QR Code,
    2-dimensional barcode. Based on
    libqrencode C library, provides API for
    creating QR Code barc...
    Download PHP QR Code
  • 6
    Freeciv
    Freeciv
    Freeciv is a free turn-based
    multiplayer strategy game, in which each
    player becomes the leader of a
    civilization, fighting to obtain the
    ultimate goal: to bec...
    Download Freeciv
  • More »

Linux commands

Ad