Linux cli command rifiuti2

➡ A Linux man page (short for manual page) is a form of software documentation found on Linux and Unix-like operating systems. This man-page explains the command rifiuti2 and provides detailed information about the command rifiuti2, system calls, library functions, and other aspects of the system, including usage, options, and examples of _. You can access this man page by typing man followed by the rifiuti2.

4 minute read

SYNOPSIS

rifiuti or rifiuti-vista [-hv]

rifiuti [-x | [-n] [-t delim]] [-z] [-l codepage] [-o outfile] filename

rifiuti-vista [-x | [-n] [-t delim]] [-z] [-o outfile] file_or_directory

DESCRIPTION

Rifiuti2 analyse recycle bin files from Windows. Analysis of Windows recycle bin is usually carried out during Windows computer forensics. Rifiuti2 can extract file deletion time, original path and size of deleted files and whether the deleted files have been moved out from the recycle bin since they are trashed.

Rifiuti2 supports a wide range of Windows versions, from Windows 95 to Windows 10. The command used for analysis depends on the version of Windows producing the recycle bin (not the version of users’ system!), which uses vastly different format before and after Vista:

rifiuti-vista
For Vista or later, which is located in

\$Recycle.bin\<SID>\.

Each deleted file has its own accompanied index file remembering the original path, file size and deletion time. If original file is permanentsly deleted, so is the index file.

rifiuti
For Windows 95 to XP/2003, which uses a single index file named INFO2 (98 or above) or INFO (95 and NT4) under either

\RECYCLED\

(FAT 16/32) or

\RECYCLER\<SID>\

(NTFS). This file keeps track record for deletion status and info for all deleted items, including those permanently removed or restored.

By default, both programs dump tab-delimited fields on screen, which can be viewed on screen or imported into spreadsheet program. -x option instructs program to dump XML formatted content instead.

Since 0.7.0 version, rifiuti2 output is in UTF-8 encoding only, including the case of writing file under Windows.

Index field has different meaning for pre-Vista and post-Vista versions. INFO2 has an index number for each of deletion item indicating the chronological order of items. For Vista version, it means the index file name instead, which matches pattern “$Ixxxxxx.<ext>”, where x is random alphanumeric character, and <ext> matches the extension of original deleted item.

Deleted time is represented in UTC time by default. Under tab-delimited mode, date/time is presented in format recognized by spreadsheet programs, while in XML mode ISO 8601 date/time format is used. For example, 3PM at 2014 X’mas represented in these modes would be respectively:

2014-12-25 15:00:00
2014-12-25T15:00:00Z

File size and file path are self-explanatory, but there are some special issues to take care about. Refer to CAVEATS section below for more detail.

OPTIONS

-o, –output=FILE
Write output to FILE.

-x, –xml
Output in XML format instead of tab-delimited values. With XML mode, all plain text options are disallowed, and result is always in UTF-8 encoding. See below for plain text options.

-l, –legacy-filename=CODEPAGE
Show legacy filename if available (like “D:\Progra~1\”), and specify the CODEPAGE used in the Windows system producing this INFO2 file. Any encodings supported by iconv(1) can be used, though for maximum accuracy of file name results, it is better to stick with Microsoft codepages (such as CP850 or CP1252 for west European version, CP932 for Japanese, etc).

Note: This option is mandatory if INFO2 file is created by Windows 95, 98 or ME, since recycle bins under these OS don’t contain Unicode file name. This option does not exist in rifiuti-vista.

-z, –localtime
Present deletion time in numeric time zone of local system running the program. By default, UTC time is displayed, which is the time value recorded in index files. Using the X’mas example above, the time for Berlin (without daylight saving time) would be 2014-12-25T16:00:00+0100 in ISO 8601 format.

Note: It is possible to use any timezone of users’ choice by setting $TZ environment variable, though not recommended. See ENVIRONMENT VARIABLE section below.

PLAIN TEXT OUTPUT OPTIONS

-t, –delimiter=STRING
String to use as delimiter (TAB by default). Other than normal characters, several escape sequences are also recognised:
(carriage return)
(line feed)
(tab)
(escape)

-n, –no-heading
Don’t show recycle bin path name, metadata and field headers

-8, –always-utf8
(Option deprecated since 0.7.0 version)

MISCELLANEOUS OPTIONS

-v, –version
Print version information and exit.

-h, –help
Show help options and exit.

–help-all
Show all help options and exit.

–help-text
Show plain text output options and exit.

EXAMPLES

`rifiuti-vista -x -z -o result.xml

Feedback

Was this page helpful?

Glad to hear it! Please tell us how we can improve.

Sorry to hear that. Please tell us how we can improve.