The steps for Recycle bin Content Analysis in Encase Forensic are as follows:

1. Let's start by creating a new case. To do this, click on the New Case link on the left. The Case Options window will pop up, as you see in the following figure:

2. We have chosen #2 Forensic template, and there is a lot of information to fill in. Let's start with Case information. Here, we have 6 fields to fill in: Case Number, Case Data, Examiner Name, Examiner I.D., Agency, and Description. All fields are self-explanatory, so just fill them in.
3. Let's go to Name and location. Type your case's name or number in the first field, and choose the Base case folder (case files will be stored here). The Full case path field will be filled in automatically.
4. Go to Evidence cache locations. You can use the same folder to store cache (to do this, tick Use base case folder for primary evidence cache), or choose one or two folders to store it.
5. Finally, if you want your case to be backed up, tick the Backup every option and choose its value. Don't forget about choosing the backup folder and the maximum size of the backup. Once everything is filled in, just click OK.
6. Now you see a window with your case information, and you are ready to add a forensic image. To do this, click the Add Evidence File link on the left.

As you can see in the preceding screenshot, there are 6 evidence source options: you can Add Local Device (don't forget to use a writeblocker), a remote evidence source, E01 or RAW image, and so on. You already have both, an E01 and a RAW image, so you can use one of them. We are going to use an E01 image. If you too, plan to use an E01 image, click the Add Evidence File link; if you are using a RAW image, click Add Raw Image.

7. Now you see your evidence file. Click on its name to see the contents. It may take some time for EnCase to parse the data. Once data parsing is finished, go to the $Recycle bin folder:

As you can see in the preceding figure, there is a list of the user's security identifiers (SID). This can help an examiner to determine which user placed files into the recycle bin. There are folders too; let's open one of them. In our case, we open the folder S-1-5-21-811620217-3902942730-3453695107-1000. Look at the next figure:

EnCase has parsed the Recycle Bin contents for you automatically. Also, it has gathered a lot of valuable information: the original file name, its original path, deletion date and time, and so on.