This article is unapologetically for the IT support readers and the inner geek in you!
Following the release of Windows Vista years ago, Microsoft has significantly changed how files and their corresponding details are represented within the Recycle Bin. In Windows XP, when files were placed into the Recycle Bin they were placed within a hidden folder named \Recycler\%SID% where %SID% is the SID of the user that performed the deletion. The files were renamed D%drive_letter%%index_number%.%file_extension% where %drive_letter% is the original drive letter of the file, %index_number% is an index number, and %file_extension% is the original file’s extension. Additionally, a file named INFO2 was placed in the user’s Recycler folder and it contained entries, identified by index number, which described the original files size, full path/name, and size.
Since Windows Vista, Microsoft has done away with the INFO2 file and completely changed the way files were named and indexed within the Recycle Bin. Firstly, the new Recycle Bin is located in a hidden directory named \$Recycle.Bin\%SID%, where %SID% is the SID of the user that performed the deletion. Secondly, when files are moved into the Recycle Bin, the original file is renamed to $R followed by a set of random characters, but maintaining the original file extension. At the same time a new file beginning with $I followed by the same set of random characters given to the $R file and the same extension, is created; this file contains the original filename/path, original file size, and the date and time that the file was moved to the Recycle Bin. The $I files are precisely 544 bytes long.
When you move a folder to the Recycle Bin the folder name itself is renamed to $R followed by a set of random characters, but the files/folders under that folder maintain their original names. A $I file is created just as when deleting an individual file that contains the original folder name, date/time deleted, and size. When using the information contained in the $I file for recovery purposes, you can safely assume that all files found under the $R folder structure within the Recycle Bin were deleted at the same time (and all at once). If a file was previously deleted out of the now deleted folder (but not yet removed from the Recycle Bin), it would have it’s own $R and $I files and not be grouped with the files that were deleted as part of the folder deletion action.
Unfortunately, unlike the INFO2 file, the new $I files are not in plain/readable text. In order to decode a $I files, you could use any disk/hex editor. The file is structured as follows:
Bytes 0-7: $I File header – always set to 01 followed by seven sets of 00.
Bytes 8-15: Original file size – stored in hex, in little-endian.
Bytes 16-23: Deleted date/time stamp – represented in number of seconds since Midnight, January 1, 1601.
Bytes 24-543: Original file path/name.
So there you have it. The new Vista/Windows 7/Windows 8 Recycle Bin is just as easy to deal with as the XP one – in fact, when it comes to whole folder deletions, it is even easier.