You already know that each user has their own folder in the recycle bin. Remember, the screenshot from the previous recipe about EnCase —there were a number of folders. To use Rifiuti2, you should first export one of those folders. There are a lot of tools capable of doing this, and you already know some of them, for example Autopsy, FTK Imager, and Magnet AXIOM.

Once you have exported the folder, you are ready to start the Windows Command Prompt and use the tool. If you are using a 32-bit system, go to the x32 folder; if you have a 64-bit system, go to the x64 folder. In both folders, you will find two Windows executables: rifiuti.exe and rifiuti-vista.exe. If you exported your folder from a Windows system up to (and including) XP, use rifiuti.exe, otherwise (starting from Vista) use rifiuti-vista.exe. In our case, the folder was exported from a Windows 10 image, so we used rifiuti-vista.exe.

    rifiuti-vista.exe S-1-5-21-3736901549-408126705-1870357071-1001 >                      
    rec_bin.txt

As you can see, we redirected the output to a TXT file. Look at its contents in the following figure :

Everything is parsed correctly. We have original paths, names, sizes, and deletion timestamps. Have you noticed the Cyrillic symbols? As we mentioned before, all localized versions of Windows are supported!