Handling files in the recycling bin with eDiscovery

jason-eevabits · July 3, 2025, 4:24pm

Hello,

I have a customer using the eDiscovery module and they noticed the eDiscovery scan had located files in the recycling bin when running a scan against a workstation.

I wanted to run a few questions by the community regarding this:

Can eDiscovery scan the actual contents of files in the recycling bin, or is it likely a false positive from the naming convention of the file?
If the files are being scanned, the naming convention that Windows uses for files in the recycling bin does not match the original, which makes it difficult to track what the original file was, even when it is restored. If this is the case, is there a recommended way to handle this?
Also, if a customer were to encrypt the target file path, would it not just encrypt the shortcut to the file, or would the actual original file be encrypted?
Lastly, if the content of the files in the recycling bin is not being scanned, and it’s a false positive, would it make more sense to just exclude the path to the recycling bin from scanning?

I’m also curious if other customers have had similar questions regarding the Windows recycling bin and if there is a recommended workflow for handling situations like these. I searched through the document for the terms “Recycle Bin” and “Recycling Bin” but didn’t see any results, so I figured I would run these by the community.

Thanks!

Jason

jeremy.moskowitz · July 3, 2025, 4:37pm

I think I get what you’re asking about. Give me and the team a little bit to analyze this and see what we can come up with.

Additionally welcome back to the community and thanks for taking the time to write in.

-Jeremy

simona.lazsadi · July 9, 2025, 12:08pm

Hi @jason-eevabits,

We’re currently trying to reproduce the scenario you described, but haven’t been successful so far. It seems like this might be something specific, so we want to ensure we gather all necessary information to address it thoroughly.

To help us assist you better, could you please collect all eD policy settings and dependencies for the affected customer, switch a sample computer to debug mode, replicate the scenario, and gather all relevant logs? Once you have this information, please submit a Support Ticket via the Netwrix Support Portal, including all the details provided here.

Once we receive all the necessary data and logs, our team will promptly conduct a detailed analysis and we will get back to you as soon as possible.
Let us know if you need any help with registering the Support Ticket.

We truly appreciate your cooperation and patience.

Thank you,
Simona

Topic		Replies	Views
Non-Persistent VDI and Netwrix Auditor Discussions & Questions auditor , activity-monitor	4	36	June 30, 2025
File Server Auditing Question Discussions & Questions auditor , file-server	6	33	June 30, 2025
How to block or log file uploads or personally identifiable information (PII) using CAP when using ChatGPT Discussions & Questions endpoint-protector , threat-prevention , content-aware-protection	5	55	June 27, 2025
Ability To Add Exclusions For Site Under MS Teams Monitoring Plan Ideas new , ideas	1	7	June 30, 2025
Integration with Modern Windows LAPS in Netwrix Privilege Secure Discussions & Questions laps , windowslaps , legacylaps	10	107	July 3, 2025

Handling files in the recycling bin with eDiscovery

Related topics