A few weeks back, I found myself in need of a free tool to parse $I files from Windows Vista+ recycle bins. For anyone needing a refresher, $I files store metadata regarding the act of sending a file to the recycle bin in Windows Vista and later. These $I files essentially replace the functionality of the INFO2 file used in Windows XP and store information such as the name and original path of a file before it was sent to the recycle bin as well as the time the file was sent to the recycle bin. The file format itself is trivial to manually parse in a hex editor, but I wanted to be able to demonstrate the value of the $I files to students in a class I was teaching without the need for a hex editor. I also wanted the students to be able to easily parse these files on their own. I was aware of a couple of free tools that parse $I files, but couldn’t find one that was exactly what I was looking for – so I decided to write one and provide it to my students. I doubt that I’m the only one to encounter this, so I’ve released this simple $I file parser in case someone else finds that they have a need for it. The link is at the bottom of this post for those interested.
One of the intriguing things I came across in writing this tool is that $I files from Windows 10 recycle bins vary slightly from those in Vista through 8.1. The change is not significant, but it is enough to potentially throw off some $I file parsers. The slight change also provides us with the ability to distinguish between $I files originating from a Windows 10 system and those originating from a Vista/7/8/8.1 system. This piece of information could be important in some instances. For example, if you encounter an $I file in the unallocated space of a Windows 10 system, you could determine if that file was an artifact from a previous non-Windows 10 installation. Given the ability to distinguish Windows 10 $I files from previous versions, I’ve included a version field in the output of my $I file parser so that this information is reported.The difference I’ve noted between the Windows 10 $I file structure and that from previous versions of Windows is detailed below.
$I structure prior to Win 10
Windows 10 $I structure
As you can see, the only structural change in the Windows 10 version appears to be the addition of the file name length field at offset 24. This will typically result in $I files from Windows 10 systems being smaller than in prior versions since the $I file is only as large as it needs to be. In prior versions, each $I file was a static 544 bytes. While not structural, another change can be found in the header/version field. The header field for Vista, 7, 8, and 8.1 is 0x01, while this field is 0x02 for Windows 10. This makes it very easy to distinguish between the two versions when parsing.
For those interested, the link to download my $I file parser can be found on the download page here.
Thanks very much for sharing and explaining this Jason. Interesting how often "rolling your own" leads to these kind of discoveries.
Thanks for this. Here’s a small addendum.
It looks like prior to W10, the $I header is 01 00 00 …
In W10, the $I header seems to be 02 00 00 …
Versions 1 and 2?
Yep, that’s right. Windows Vista through 8.1 uses 0x01 in the header field, while Windows 10 uses 0x02 (this is actually noted in the post). $I Parse, available at https://df-stream.com/recycle-bin-i-parser/, will report the version of the parsed $I file(s) as well.
[…] You can also read his research that is called Recycle Bin $I Files and Windows 10. […]
Landed here looking for an answer, and this helps. Thanks. Now that I understand what is going on, is there a tool available to rename the recovered files back to what they originally were? I’m staring at about 20gb of pictures that need to be renamed to what they were previously. I had to recover this data, which meant the use of “restore” was not an option.
Thanks for the note – I’m glad this was helpful. I know there are some commercial forensic tools that can handle this “auto-renaming” for you, if you have commercial options available to you. In terms of free options, you could look at scripting the renaming process based on the output of $I_Parse, RBCmd, or similar.