Recipe difficulty: Medium

Python version: 2.7

Operating system: Linux

While that may not be the exact saying, forensic examination of deleted files residing in the Recycle Bin is an important step in most investigations. The non-technical custodian likely does not understand that these files sent to the Recycle Bin are still present and that we can learn a good deal about the original file, such as its original file path and the time that it was sent to the Recycle Bin. While the specific artifacts vary between versions of Windows, this recipe focuses on the Windows 7 version of the Recycle Bin's $I and $R files.