On Windows 10, we can find the Recycle Bin directory for all users located at C:\$Recycle.Bin. Insider this location are sub-folders using user account SIDs for the naming convention. To get a list of user accounts on a system Windows Management Instrumentation Command (WMIC) can be used: wmic useraccount get name,SID.

Files that begin with $R followed by a random string contain the true file contents of the recycled file.

Files that begin with $I and end in the same string as the $R file counterpart contain the metadata for that specific file, such as the original filename, path, size, and timestamp of when the file was deleted.

If the user has emptied the Recycle Bin, we lose this artifact and cannot analyze it. Instead, we would need to carve these files from a disk image.

Sections

ID	Name	Description
AF015	File Deletion	A subject deletes a file or files to prevent them from being available for later analysis or to disrupt the availability of a system. This could include log files, files downloaded by the subject, files created by the subject, or system files.
AF004.001	Clear Chrome Artifacts	A subject clears Google Chrome browser artifacts to hide evidence of their activities, such as visited websites, cache, cookies, and download history.
AF004.003	Clear Firefox Artifacts	A subject clears Mozzila Firefox browser artifacts to hide evidence of their activities, such as visited websites, cache, cookies, and download history.
AF004.002	Clear Edge Artifacts	A subject clears Microsoft Edge browser artifacts to hide evidence of their activities, such as visited websites, cache, cookies, and download history.