TrashParse is a simple tool for analyzing Windows Recycle.Bin files based on $I & $R entry. Also a tool that originally inspired from $I parser.
$ pip install trashparse
For instances, you can check helper section by passing -h or --help.
$ trashparse -h
usage: trashparse [-h] [--sort attribute] [--write directory] [--quiet]
directory
Simple Recycle.Bin Windows Parser
positional arguments:
directory target directory
optional arguments:
-h, --help show this help message and exit
--sort attribute, -s attribute
Sort by attribute (name, time, size)
--write directory, -w directory
Write $R content into a directory; default="files/"
--quiet, -q quiet (Don't show list file) TrashParse allow you to generate general information by passing directory name that contains any file with $I prefix file
$ trashparse \$RECYCLE.BIN/S-1-5-21-4144826732-2003267707-115468498-1001
+--------------+----------------------------+------------+------+---------------------+
| Index | Deleted Time | Version | Size | Original Path |
+--------------+----------------------------+------------+------+---------------------+
| $IEW83YF.txt | 2020-11-30 22:12:27.451000 | Windows 10 | 30 | D:\samples\test.txt |
+--------------+----------------------------+------------+------+---------------------+
TrashParse allow you to extract content based on parsed fileinfo from $I and $R file
$ trashparse \$RECYCLE.BIN/S-1-5-21-4144826732-2003267707-115468498-1001 -q -w files
$ ls files/
test.txt
$ cat files/test.txt
This file will be deleted soon- hanasuru - Initial work
See also the list of contributors who participated in this project.
This project is licensed under the MIT License - see the LICENSE file for details