glassdfir/CyberChefRecycleBin.json

## CyberChefRecycleBin.json
[
  { "op": "Conditional Jump",
    "args": ["^(\\x01|\\x02)", true, "Error", 10] },
  { "op": "Find / Replace",
    "args": [{ "option": "Regex", "string": "^(\\x02.{23})(....)" }, "$1", false, false, false, false] },
  { "op": "Subsection",
    "args": ["^.{24}(.*)", true, true, false] },
  { "op": "Decode text",
    "args": ["UTF16LE (1200)"] },
  { "op": "Find / Replace",
    "args": [{ "option": "Regex", "string": "^(.*)." }, "\\nDeleted File Path: $1", false, false, false, false] },
  { "op": "Merge",
    "args": [] },
  { "op": "Subsection",
    "args": ["^.{16}(.{8})", false, true, false] },
  { "op": "Swap endianness",
    "args": ["Raw", 8, true] },
  { "op": "To Hex",
    "args": ["None"] },
  { "op": "Windows Filetime to UNIX Timestamp",
    "args": ["Seconds (s)", "Hex"] },
  { "op": "From UNIX Timestamp",
    "args": ["Seconds (s)"] },
  { "op": "Find / Replace",
    "args": [{ "option": "Regex", "string": "^(.* UTC)" }, "\\nFile Deletion Time: $1", true, false, true, false] },
  { "op": "Merge",
    "args": [] },
  { "op": "Subsection",
    "args": ["^.{8}(.{8})", true, true, false] },
  { "op": "To Hex",
    "args": ["None"] },
  { "op": "Swap endianness",
    "args": ["Hex", 8, true] },
  { "op": "From Base",
    "args": [16] },
  { "op": "Find / Replace",
    "args": [{ "option": "Regex", "string": "^(.*)" }, "\\nDeleted File Size: $1 bytes", true, false, true, true] },
  { "op": "Merge",
    "args": [] },
  { "op": "Find / Replace",
    "args": [{ "option": "Regex", "string": "^.{8}" }, "******** WINDOWS RECYCLE BIN METADATA ********", true, false, false, false] },
  { "op": "Jump",
    "args": ["Do Nothing", 10] },
  { "op": "Label",
    "args": ["Error"] },
  { "op": "Find / Replace",
    "args": [{ "option": "Regex", "string": "^.*$" }, "This doesn't look like a Recycle Bin file to me ", true, false, true, false] },
  { "op": "Label",
    "args": ["Do Nothing"] }
]
	[
	{ "op": "Conditional Jump",
	"args": ["^(\\x01\|\\x02)", true, "Error", 10] },
	{ "op": "Find / Replace",
	"args": [{ "option": "Regex", "string": "^(\\x02.{23})(....)" }, "$1", false, false, false, false] },
	{ "op": "Subsection",
	"args": ["^.{24}(.*)", true, true, false] },
	{ "op": "Decode text",
	"args": ["UTF16LE (1200)"] },
	{ "op": "Find / Replace",
	"args": [{ "option": "Regex", "string": "^(.*)." }, "\\nDeleted File Path: $1", false, false, false, false] },
	{ "op": "Merge",
	"args": [] },
	{ "op": "Subsection",
	"args": ["^.{16}(.{8})", false, true, false] },
	{ "op": "Swap endianness",
	"args": ["Raw", 8, true] },
	{ "op": "To Hex",
	"args": ["None"] },
	{ "op": "Windows Filetime to UNIX Timestamp",
	"args": ["Seconds (s)", "Hex"] },
	{ "op": "From UNIX Timestamp",
	"args": ["Seconds (s)"] },
	{ "op": "Find / Replace",
	"args": [{ "option": "Regex", "string": "^(.* UTC)" }, "\\nFile Deletion Time: $1", true, false, true, false] },
	{ "op": "Merge",
	"args": [] },
	{ "op": "Subsection",
	"args": ["^.{8}(.{8})", true, true, false] },
	{ "op": "To Hex",
	"args": ["None"] },
	{ "op": "Swap endianness",
	"args": ["Hex", 8, true] },
	{ "op": "From Base",
	"args": [16] },
	{ "op": "Find / Replace",
	"args": [{ "option": "Regex", "string": "^(.*)" }, "\\nDeleted File Size: $1 bytes", true, false, true, true] },
	{ "op": "Merge",
	"args": [] },
	{ "op": "Find / Replace",
	"args": [{ "option": "Regex", "string": "^.{8}" }, "****** WINDOWS RECYCLE BIN METADATA ******", true, false, false, false] },
	{ "op": "Jump",
	"args": ["Do Nothing", 10] },
	{ "op": "Label",
	"args": ["Error"] },
	{ "op": "Find / Replace",
	"args": [{ "option": "Regex", "string": "^.*$" }, "This doesn't look like a Recycle Bin file to me ", true, false, true, false] },
	{ "op": "Label",
	"args": ["Do Nothing"] }
	]