Addition of Recycle Bin

Below is the hexadecimal where the first instance of "hellofolder" (orange) was found on the ReFS drive. It can be seen that also added into the file system is an entry for Recycle Bin (blue). This was not a manual action and it was not present on the clean system; it has been added automatically.

Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F

000758540 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................................

000758560 78 00 00 00 10 00 1C 00 00 00 30 00 48 00 00 00 30 00 02 00 24 00 52 00 45 00 43 00 59 00 43 00 x.........0.H...0...$.R.E.C.Y.C.

000758580 4C 00 45 00 2E 00 42 00 49 00 4E 00 00 00 00 00 01 07 00 00 00 00 00 00 00 00 00 00 00 00 00 00 L.E...B.I.N.....................

0007585A0 86 98 ED 46 7D 2B D0 01 6D 36 F0 46 7D 2B D0 01 6D 36 F0 46 7D 2B D0 01 6D 36 F0 46 7D 2B D0 01 †˜F}+Ɖ.m6ƉF}+Ɖ.m6ƉF}+Ɖ.m6ƉF}+Ɖ.

0007585C0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 06 00 00 10 00 00 00 00 78 00 00 00 10 00 1A 00 ........................x.......

0007585E0 00 00 30 00 48 00 00 00 30 00 02 00 68 00 65 00 6C 00 6C 00 6F 00 66 00 6F 00 6C 00 64 00 65 00 ..0.H...0...h.e.l.l.o.f.o.l.d.e.

000758600 72 00 00 00 00 00 00 00 03 07 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 CB 15 9F 7D 2B D0 01 r........................Ë.Ÿ}+Ɖ.

000758620 10 CB 15 9F 7D 2B D0 01 10 CB 15 9F 7D 2B D0 01 10 CB 15 9F 7D 2B D0 01 00 00 00 00 00 00 00 00 .Ë.Ÿ}+Ɖ..Ë.Ÿ}+Ɖ..Ë.Ÿ}+Ɖ.........

The block below shows a similar situation in NTFS. It can clearly be seen that the same has happened; Recycle Bin has been added towards the top of this block with "hellofolder" appearing further down (not shown).

Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F

00012C360 08 03 24 00 4D 00 46 00 54 00 4D 00 69 00 72 00 72 00 00 00 00 00 00 00 25 00 00 00 00 00 01 00 ..$.M.F.T.M.i.r.r.......%.......

00012C380 70 00 5A 00 00 00 00 00 05 00 00 00 00 00 05 00 7D 93 76 46 7D 2B D0 01 7D 93 76 46 7D 2B D0 01 p.Z.............}"vF}+Ɖ.}"vF}+Ɖ.

00012C3A0 7D 93 76 46 7D 2B D0 01 7D 93 76 46 7D 2B D0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 }"vF}+Ɖ.}"vF}+Ɖ.................

00012C3C0 06 00 00 10 00 00 00 00 0C 00 24 00 52 00 45 00 43 00 59 00 43 00 4C 00 45 00 2E 00 42 00 49 00 ..........$.R.E.C.Y.C.L.E...B.I.

00012C3E0 4E 00 50 00 00 00 00 00 09 00 00 00 00 00 09 00 60 00 50 00 00 00 00 00 05 00 00 00 00 00 12 00 N.P.............`.P.............

00012C400 BA 5F B4 58 33 24 D0 01 BA 5F B4 58 33 24 D0 01 BA 5F B4 58 33 24 D0 01 BA 5F B4 58 33 24 D0 01 °_´X3$Ɖ.°_´X3$Ɖ.°_´X3$Ɖ.°_´X3$Ɖ.

00012C420 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 06 00 00 20 00 00 00 00 07 03 24 00 53 00 65 00 ................... ......$.S.e.

00012C440 63 00 75 00 72 00 65 00 0A 00 00 00 00 00 0A 00 60 00 50 00 00 00 00 00 05 00 00 00 00 00 05 00 c.u.r.e.........`.P.............

00012C460 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................................

While the Recycle Bin entry has been added automatically to the drives above, it is not yet being used. In NTFS, when a file is deleted, the file's metadata and actual data are recorded differently. To represent the metadata "$I files" (aqua) are used and to represent the original data "$R files" (purple) are used.

The blocks below show a deleted .txt file in NTFS.

Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F

00012A100 0C 00 24 00 49 00 46 00 45 00 46 00 36 00 4B 00 43 00 2E 00 74 00 78 00 74 00 00 00 00 00 00 00 ..$.I.F.E.F.6.K.C...t.x.t.......

00012A120 2D 00 00 00 00 00 01 00 70 00 5A 00 00 00 00 00 26 00 00 00 00 00 01 00 25 0A 5A 8F 6D 41 D0 01 -.......p.Z.....&.......%.Z.mAƉ.

00012A140 25 0A 5A 8F 6D 41 D0 01 25 0A 5A 8F 6D 41 D0 01 25 0A 5A 8F 6D 41 D0 01 20 02 00 00 00 00 00 00 %.Z.mAƉ.%.Z.mAƉ.%.Z.mAƉ. .......

The block below shows the file which represents the file's actual data and the block above shows the file which represents the metadata. When comparing the two, it can be seen that they have the same name/reference (FEF6KC) followed by the extension and MACE times.

00012A2C0 0C 00 24 00 52 00 46 00 45 00 46 00 36 00 4B 00 43 00 2E 00 74 00 78 00 74 00 00 00 00 00 00 00 ..$.R.F.E.F.6.K.C...t.x.t.......

00012A2E0 2B 00 00 00 00 00 02 00 70 00 5A 00 00 00 00 00 26 00 00 00 00 00 01 00 7A 4D D9 1E 6B 41 D0 01 +.......p.Z.....&.......zMÙ.kAƉ.

00012A300 7A 4D D9 1E 6B 41 D0 01 25 0A 5A 8F 6D 41 D0 01 7A 4D D9 1E 6B 41 D0 01 30 00 00 00 00 00 00 00 zMÙ.kAƉ.%.Z.mAƉ.zMÙ.kAƉ.0.......

Further on in the file system, the metadata $I file of the deleted file can be found (shown below). Using Machor's (2008) paper on the Recycle Bin the table below highlights and describes the parts that make up the entry.

Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F

04010B8E0 00 00 00 00 00 00 00 00 20 00 00 00 00 00 00 00 0C 00 24 00 49 00 46 00 45 00 46 00 36 00 4B 00 ........ .........$.I.F.E.F.6.K.

04010B900 43 00 2E 00 74 00 78 00 74 00 00 00 00 00 00 00 80 00 00 00 38 02 00 00 00 00 18 00 00 00 01 00 C...t.x.t.......€...8...........

04010B920 20 02 00 00 18 00 00 00 01 00 00 00 00 00 00 00 1C 00 00 00 00 00 00 00 C0 E3 0E 90 6D 41 D0 01 .......................Àâ..mAƉ.

04010B940 45 00 3A 00 5C 00 72 00 65 00 63 00 69 00 70 00 65 00 2E 00 74 00 78 00 74 00 00 00 00 00 00 00 E.:.\.r.e.c.i.p.e...t.x.t.......

Type	Length	Contents	Description
File Header	8 bytes	01 00 00 00 00 00 00 00
File Size	8 bytes	1C 00 00 00 00 00 00 00	Little endian.
Deleted Datestamp	8 bytes	C0 E3 0E 90 6D 41 D0 01
File Name	-	45 00 3A 00 5C 00 72 00 65 00 63 00 69 00 70 00 65 00 2E 00 74 00 78 00 74	Length depends on size of file name

Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F

04010A000 46 49 4C 45 30 00 03 00 C8 51 80 01 00 00 00 00 02 00 01 00 38 00 01 00 50 01 00 00 00 04 00 00 FILE0...ÈQ€.........8...P.......

04010A020 00 00 00 00 00 00 00 00 04 00 00 00 28 00 00 00 07 00 00 00 00 00 00 00 10 00 00 00 60 00 00 00 ............(...............`...

04010A040 00 00 00 00 00 00 00 00 48 00 00 00 18 00 00 00 2E CD C4 D2 6A 41 D0 01 2E CD C4 D2 6A 41 D0 01 ........H........˜ÄÒjAƉ..˜ÄÒjAƉ.

04010A060 21 B6 11 90 6D 41 D0 01 2E CD C4 D2 6A 41 D0 01 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 !¶..mAƉ..˜ÄÒjAƉ. ...............

04010A080 00 00 00 00 0D 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 30 00 00 00 78 00 00 00 ........................0...x...

04010A0A0 00 00 00 00 00 00 03 00 5A 00 00 00 18 00 01 00 26 00 00 00 00 00 01 00 2E CD C4 D2 6A 41 D0 01 ........Z.......&........˜ÄÒjAƉ.

04010A0C0 2E CD C4 D2 6A 41 D0 01 2E CD C4 D2 6A 41 D0 01 2E CD C4 D2 6A 41 D0 01 20 00 00 00 00 00 00 00 .˜ÄÒjAƉ..˜ÄÒjAƉ..˜ÄÒjAƉ. .......

04010A0E0 1C 00 00 00 00 00 00 00 20 00 00 00 00 00 00 00 0C 00 24 00 52 00 46 00 45 00 46 00 36 00 4B 00 ........ .........$.R.F.E.F.6.K.

04010A100 43 00 2E 00 74 00 78 00 74 00 00 00 38 00 00 00 80 00 00 00 38 00 00 00 00 00 18 00 00 00 01 00 C...t.x.t...8...€...8...........

04010A120 1C 00 00 00 18 00 00 00 4E 6F 20 73 75 67 61 72 0D 0A 43 6F 66 66 65 65 20 62 65 61 6E 73 0D 0A ........No sugar..Coffee beans..

04010A140 4D 69 6C 6B 00 00 00 00 FF FF FF FF 82 79 47 11 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Milk....ŸŸŸŸ‚yG.................

The block above shows the actual deleted data, with the contents intact too (highlighted in blue). All of the above is showing how the Recycle Bin works in NTFS, but with ReFS it is likely to be different.

In the hexadecimal below, the ReFS equivalent of the "$I" and "$R" files can be seen. The tilde sign is in place of a number of rows of data; allowing the most relevant data to be viewed in a clearer way.

The bytes highlighted in orange below read "C0 01" and "AC 01". These are addresses pointing to locations which have further information of interest. When calculated, the locations being pointed to are 800000 and 7B0000 respectively.

Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F

000799C60 0C 00 18 00 24 00 49 00 33 00 4B 00 50 00 37 00 4C 00 47 00 2E 00 74 00 78 00 74 00 A0 F8 FF FF ....$.I.3.K.P.7.L.G...t.x.t. øŸŸ

000799C80 40 04 00 00 10 00 1C 00 08 00 30 00 10 04 00 00 30 00 01 00 24 00 49 00 33 00 4B 00 50 00 37 00 @.........0.....0...$.I.3.K.P.7.

000799CA0 4C 00 47 00 2E 00 74 00 78 00 74 00 00 00 00 00 A8 00 00 00 28 00 01 00 00 00 00 00 10 01 00 00 L.G...t.x.t.....¨...(...........

000799CC0 10 01 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2E 3B 4B 95 6D 41 D0 01 .........................;K•mAƉ.

000799CE0 2E 3B 4B 95 6D 41 D0 01 2E 3B 4B 95 6D 41 D0 01 2E 3B 4B 95 6D 41 D0 01 20 00 00 00 00 00 00 00 .;K•mAƉ..;K•mAƉ..;K•mAƉ. .......

000799D00 02 07 00 00 00 00 00 00 04 00 00 00 00 00 00 00 F1 F8 16 19 01 00 00 00 20 02 00 00 00 00 00 00 ................ñø...... .......

~~~~~~~~~ ~~ ~~ ~~ ~~ ~~ ~~ ~~ ~~ ~~ ~~ ~~ ~~ ~~ ~~ ~~ ~~ ~~ ~~ ~~ ~~ ~~ ~~ ~~ ~~ ~~ ~~ ~~ ~~ ~~ ~~ ~~ ~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

000799E40 30 00 00 00 10 00 10 00 00 00 10 00 20 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 0........... ...................

000799E60 C0 01 00 00 00 00 00 00 00 00 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 À...............................

~~~~~~~~~ ~~ ~~ ~~ ~~ ~~ ~~ ~~ ~~ ~~ ~~ ~~ ~~ ~~ ~~ ~~ ~~ ~~ ~~ ~~ ~~ ~~ ~~ ~~ ~~ ~~ ~~ ~~ ~~ ~~ ~~ ~~ ~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

00079A0A0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................................

00079A0C0 40 04 00 00 10 00 1C 00 00 00 30 00 10 04 00 00 30 00 01 00 24 00 52 00 33 00 4B 00 50 00 37 00 @.........0.....0...$.R.3.K.P.7.

00079A0E0 4C 00 47 00 2E 00 74 00 78 00 74 00 00 00 00 00 A8 00 00 00 28 00 01 00 00 00 00 00 10 01 00 00 L.G...t.x.t.....¨...(...........

00079A100 10 01 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 E8 5A 73 D6 6A 41 D0 01 ........................ÈZsÖjAƉ.

00079A120 B3 BB 75 D6 6A 41 D0 01 2E 3B 4B 95 6D 41 D0 01 E8 5A 73 D6 6A 41 D0 01 20 00 00 00 00 00 00 00 ³»uÖjAƉ..;K•mAƉ.ÈZsÖjAƉ. .......

00079A140 00 06 00 00 00 00 00 00 02 00 00 00 00 00 00 00 87 61 D6 EF 01 00 00 00 1C 00 00 00 00 00 00 00 ................‡aÖï............

~~~~~~~~~ ~~ ~~ ~~ ~~ ~~ ~~ ~~ ~~ ~~ ~~ ~~ ~~ ~~ ~~ ~~ ~~ ~~ ~~ ~~ ~~ ~~ ~~ ~~ ~~ ~~ ~~ ~~ ~~ ~~ ~~ ~~ ~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

00079A280 30 00 00 00 10 00 10 00 00 00 10 00 20 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 0........... ...................

00079A2A0 AC 01 00 00 00 00 00 00 00 00 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ¬...............................

As can be seen below, offset 800000 (C0 01) contains the filename, deleted timestamp and file size; in exactly the same format as in NTFS.

Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F

000800000 01 00 00 00 00 00 00 00 1C 00 00 00 00 00 00 00 C0 38 4B 95 6D 41 D0 01 46 00 3A 00 5C 00 72 00 ................À8K•mAƉ.F.:.\.r.

000800020 65 00 63 00 69 00 70 00 65 00 2E 00 74 00 78 00 74 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e.c.i.p.e...t.x.t...............

Then below, at offset 7B0000 (AC 01), the file contents can be seen. Now the file contents, the file size, file name and deleted date/time have all been discovered.

Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F

0007B0000 4E 6F 20 73 75 67 61 72 0D 0A 43 6F 66 66 65 65 20 62 65 61 6E 73 0D 0A 4D 69 6C 6B 00 00 00 00 No sugar..Coffee beans..Milk....

This shows some similarities to the NTFS file recycling method (the way the file information is stored). However NTFS doesn't point to a location where the file contents are stored like ReFS does; the contents are within the same MFT entry.