Incident Response with EZTools - Recycle Bin Artifact Parser
RBCmd is bundled with EZTools, this tool a recycle bin artifact INFO2/$I parser.
INFO2 contains an index of all the files that have been deleted, along with some metadata about the recycled files. The INFO2 file will contain the original path, file size, and when it was deleted.
$I this file contains the metadata for that specific file (unlike the INFO2 file, which contains the metadata for every file in the recycle bin). The $I file contains the original filename, path, file size, and when the file was deleted.
During an incident, a file might have been deleted from the disk, and being able to get the artifact and parse it can help the responder during the investigation.
