Handling files in the recycling bin with eDiscovery

Hello,

I have a customer using the eDiscovery module and they noticed the eDiscovery scan had located files in the recycling bin when running a scan against a workstation.

I wanted to run a few questions by the community regarding this:

  • Can eDiscovery scan the actual contents of files in the recycling bin, or is it likely a false positive from the naming convention of the file?

  • If the files are being scanned, the naming convention that Windows uses for files in the recycling bin does not match the original, which makes it difficult to track what the original file was, even when it is restored. If this is the case, is there a recommended way to handle this?

  • Also, if a customer were to encrypt the target file path, would it not just encrypt the shortcut to the file, or would the actual original file be encrypted?

  • Lastly, if the content of the files in the recycling bin is not being scanned, and it’s a false positive, would it make more sense to just exclude the path to the recycling bin from scanning?

I’m also curious if other customers have had similar questions regarding the Windows recycling bin and if there is a recommended workflow for handling situations like these. I searched through the document for the terms “Recycle Bin” and “Recycling Bin” but didn’t see any results, so I figured I would run these by the community.

Thanks!

Jason

I think I get what you’re asking about. Give me and the team a little bit to analyze this and see what we can come up with.

Additionally welcome back to the community and thanks for taking the time to write in.

-Jeremy

2 Likes

Hi @jason-eevabits,

We’re currently trying to reproduce the scenario you described, but haven’t been successful so far. It seems like this might be something specific, so we want to ensure we gather all necessary information to address it thoroughly.

To help us assist you better, could you please collect all eD policy settings and dependencies for the affected customer, switch a sample computer to debug mode, replicate the scenario, and gather all relevant logs? Once you have this information, please submit a Support Ticket via the Netwrix Support Portal, including all the details provided here.

Once we receive all the necessary data and logs, our team will promptly conduct a detailed analysis and we will get back to you as soon as possible.
Let us know if you need any help with registering the Support Ticket.

We truly appreciate your cooperation and patience.

Thank you,
Simona

1 Like

Simona,

Thank you for providing an update!

I will gather all of the requested information and submit everything into a ticket.

I will let you know if I run into any issues during this process.

Thanks!

Jason

1 Like

Hi Jason,

That’s great! Thank you for your understanding.
We’ll keep you updated!

Regards,
Simona

1 Like

Hi Simona,

I wanted to give you an update and let you know I have submitted a ticket with the information you requested. If you need any additional information from me to address this, please let me know.

Thanks!

Jason

Hello Everyone,

I heard back from Netwrix support and wanted to share their responses as I feel the information will be helpful for others with related questions:

eDiscovery scans in Netwrix Endpoint Protector do include files located in the Windows Recycle Bin, and the actual content of these files is scanned. However, due to Windows’ renaming conventions for files in the Recycle Bin, it can be difficult to correlate scan results with the original files. If file path encryption is used as a remediation action, it encrypts the actual file, not just a shortcut. If scanning Recycle Bin files creates confusion or is not desired, excluding the Recycle Bin path from scans is a recommended best practice.

1. Does eDiscovery scan the actual content of Recycle Bin files?

Yes, eDiscovery scans the actual content of files in the Recycle Bin. This is not a false positive due to naming conventions; the files themselves are scanned for sensitive content, regardless of their location, including the Recycle Bin. This behavior has been confirmed in both customer environments and lab tests. The scan results will show files from the Recycle Bin, but the file names and paths will be altered due to how Windows manages deleted files. The original file extension is preserved, but the name is changed, making it difficult to identify the original file directly from the scan results. This is a Windows behavior, not a Netwrix-specific issue.š,²

2. Tracking original files after restoration

Windows changes the file name and path when a file is moved to the Recycle Bin. When restored, the file regains its original name and location, but during its time in the Recycle Bin, the scan results will only show the altered path and name. There is no built-in mechanism in eDiscovery to automatically map the Recycle Bin file back to its original name and path. Manual correlation is required if you need to trace a flagged file back to its source.š,²

3. File path encryption: shortcut or original file?

If you use the ‘Encrypt on target’ remediation action from the eDiscovery scan results, the actual file in the Recycle Bin (or any other location) is encrypted. This does not just encrypt a shortcut or reference; the file itself is encrypted in place. This is intended to mitigate risks if sensitive data is found.³

4. Should the Recycle Bin path be excluded if results are confusing?

If scanning files in the Recycle Bin is not useful for your use case or creates confusion due to altered file names, it is a best practice to exclude the Recycle Bin path from your eDiscovery scan policies. This can be done by adding the Recycle Bin path to the Allowlist or exclusion list in your policy configuration. This approach is supported and recommended if the scan results from the Recycle Bin do not provide actionable value.š

5. Best practices and workflow

  • If you want to avoid scanning Recycle Bin files, explicitly exclude the Recycle Bin path in your eDiscovery policy.
  • If you need to scan all files, be aware that Recycle Bin entries will appear with altered names and paths, and manual investigation may be needed to trace them.
  • Remediation actions (encrypt, delete, etc.) apply to the actual file, regardless of its location.

There is no official documentation specifically about Recycle Bin handling, but these practices are based on community discussions, lab confirmations, and product behavior.

Hopefully this information is helpful!

Thanks!

Jason

2 Likes

Hi Jason,

Thank you for sharing this valuable information here! These explanations will definitely serve as a helpful resource and best practice guide for similar future inquiries.
I’m also happy to hear that our Support Team was able to respond promptly to your questions, helping you resolve the issue efficiently.

I hope this information proves to be incredibly beneficial for your customer.

All the best,
Simona