Module Contents



Recyclebin plugin.


dissect.target.plugins.os.windows.recyclebin.c_recyclebin_i = Multiline-String
Show Value
struct header_v1 {
    int64    version;
    int64    file_size;
    int64    timestamp;
    wchar    filename[260];
struct header_v2 {
    int64    version;
    int64    file_size;
    int64    timestamp;
    int32    filename_length;
    wchar    filename[filename_length];
class dissect.target.plugins.os.windows.recyclebin.RecyclebinPlugin(target: dissect.target.Target)

Bases: dissect.target.plugin.Plugin

Recyclebin plugin.

check_compatible() None

Perform a compatibility check with the target.

This function should return None if the plugin is compatible with the current target (self.target). For example, check if a certain file exists. Otherwise it should raise an UnsupportedPluginError.


UnsupportedPluginError – If the plugin could not be loaded.

recyclebin() Generator[RecycleBinRecord, None, None]

Return files located in the recycle bin ($Recycle.Bin).

Yields RecycleBinRecords with fields:

hostname (string): The target hostname domain (string): The target domain ts (datetime): The time of deletion path (uri): The file original location before deletion filesize (filesize): Filesize of the deleted file sid (string): SID of the user deleted the file, parsed from $I filepath user (string): Username matching SID, lookup using Dissect user plugin deleted_path (uri): Location of the deleted file after deletion $R file source (uri): Location of $I meta file on disk

read_recycle_bin(bin_path: dissect.target.helpers.fsutil.TargetPath) Generator[RecycleBinRecord, None, None]
read_bin_file(bin_path: dissect.target.helpers.fsutil.TargetPath) RecycleBinRecord
find_sid(path: dissect.target.helpers.fsutil.TargetPath) str
select_header(data: bytes) dissect.cstruct.Structure

Selects the correct header based on the version field in the header