Be a Better Detective #7

Investigating Windows Artifacts - Recycle Bin - 1

Author

Husam Shbib
October 25, 2025

Hello Everyone. It is Husam again! Thank you for being part of this journey. Let’s try to be better cybersecurity & digital forensics warriors EVERY SINGLE DAY *_^

These series of posts are real-world challenges/mistakes faced/made by digital forensic practitioners. Try to solve them yourself and sharpen your investigative skills ^_^

Who Am I? Husam is just a guy who loves solving cyber-crime mysteries.
~ Sherlock Holmes by Day - Lupin by Night.

Do not forget to add this email ID to the whitelist, to not be received in the spam folder and miss the future issues!

Below, there are some training providers’ I am partnering with that I think their content would be an added value to you, so check them out :)

The Scenario:

A senior digital forensic examiner “Sami” was assigned to mentor a junior one “Husam".

The senior examiner gave him an RDP access to one employee’s computer suspected to be an insider threat.

Sami asked Huam to do some acquisition & examination on Prefetch, JumpList, Recycle Bin, and other listed artifacts, as he wanted to test the junior’s process, logic and tools usage.

Husam accessed the RDP machine and decided to start acquiring the Recycle Bin artifacts, as deleted files would have valuable details in this case.

He fired RBCmd tool from EricZimmerman to parse the Recycle Bin artifact and check the deleted files, and save the output into CSV files.

He checked the Recycle Bin folder and found multiple SIDs’ folders inside, and started parsing them.

Husam opened cmd.exe and wrote the following command: 

RBCmd.exe -d C:\$Recycle.Bin\S-1-5-21-3938158668-2287341463-1928222349-1001\ --csv . --csvf 1001.csv

Unfortunately, he did not find any deleted files on that particular user’s SID as shown below:

After finishing all the parsing, he started analyzing them.

Husam provided a mini report including parsing results, examination, his thoughts, etc. to Sami, but unfortunately Husam did not pass the mentorship assessment…

Here is the task: Why did Husam fail the mentorship assessment? Anything went wrong?

𝐁𝐞 𝐚 𝐁𝐞𝐭𝐭𝐞𝐫 𝐃𝐞𝐭𝐞𝐜𝐭𝐢𝐯𝐞. 🕵
Hope such content opened your eyes and make you more aware in such cases ^_^

Cya till the next week ~Hoxed

You can find me on other social medias here.

💡By the way, if you like to be coached/mentored like in this scenario, go check out my full computer forensic case A-Z with peer review insights and hands-on guidance.

Thank you for reading this post, hope it was useful!

I can help you further with:

1️⃣ Cybersecurity Investigation Projects
2️⃣ Digital Forensic Coaching
3️⃣ LinkedIn Cybersecurity Companies Branding

Click here, so we can talk!

Here are some amazing partners’ platforms to learn from, click on the one you are mostly interested in:


You know that a new cert was recently released? Check out “CJCA”. An entry-level cert that contains offensive and defensive knowledge. Thus, you become more familiar in both sides of the cybersecurity coin.


ISFCE CCE is one of the best practical peer-review computer forensics course & certification
30% OFF on CCE course using coupon: 𝐌𝐈𝐃𝐄𝐀𝐒𝐓##𝟑𝟎

Note: These are affiliate links to companies I work with and I believe their content would be valuable to you. Using them helps support my content.

Reply

or to participate.