recyclebin

$ target-query <path/to/target> -f recyclebin

Details

Module	dissect.target.plugins.os.windows.recyclebin.RecyclebinPlugin
Output	records

Module documentation

Recyclebin plugin.

Function documentation

Return files located in the recycle bin ($Recycle.Bin).

Yields RecycleBinRecords with fields:

hostname (string): The target hostname
domain (string): The target domain
ts (datetime): The time of deletion
path (path): The file original location before deletion
filesize (filesize): Filesize of the deleted path
deleted_path (path): Location of the deleted file after deletion $R file
source (path): Location of $I meta file on disk
user_id (string): SID of the user deleted the file, parsed from $I filepath
user (string): Username matching SID, lookup using Dissect user plugin

Details

Module	dissect.target.plugins.os.unix.trash.GnomeTrashPlugin
Output	records

Module documentation

Linux GNOME Trash plugin.

Function documentation

Yield deleted files from GNOME Trash folders.

Recovers deleted files and artifacts from $HOME/.local/share/Trash. Probably also works with other desktop interfaces as long as they follow the Trash specification from FreeDesktop.

Also parses media trash locations such as /media/$USER/$Label/.Trash-*, /mnt/$Label/.Trash-* and other locations as defined in /etc/fstab.

References:

• https://specifications.freedesktop.org/trash-spec/latest/

• https://github.com/GNOME/glib/blob/main/gio/glocalfile.c

• https://specifications.freedesktop.org/basedir-spec/latest/

Yields TrashRecord records with the following fields:

ts           (datetime): timestamp when the file was deleted or for expunged files when it could not be permanently deleted
path         (path):     path where the file was located before it was deleted
filesize     (filesize): size in bytes of the deleted file
deleted_path (path):     path to the current location of the deleted file
source       (path):     path to the .trashinfo file