Create an account Home  ·  Topics  ·  Downloads  ·  Your Account  ·  Submit News  ·  Top 10  
Modules
· Home
· Content
· FAQ
· Forensic Downloads
· Forensics Feedback
· Forums
· Members List
· Statistics
· Surveys
· Top 10
· Topics
· Training Reviews
· Web Links
· Your Account

Our Membership

Latest: Sergioramos
New Today: 1
New Yesterday: 0
Overall: 29353

Computer Forensics
This is a free and open peer to peer medium for digital and computer forensics professionals and students. Please help us maintain it by contributing and perhaps linking to us from your own website.

Recent Posts

 A question for students and newbies
 E-DISCOVERY & DATA RECOVERY? WHICH ONE IS BETTER?
 Computer Forensic in e-commerce
 Computer Forensic as component in Information Security
 Small Business - Do You Prepared?

Computer Forensics World Forums


Pages Served
We received
51187029
page views since August 2004

Security Sources

FTC
OnGuard Online
ISO 17799 ISO 27001
ISO 27000 Toolkit
ISO 27001 & 27000
Cryptography
Security Policies

Computer Forensics World: Forums

Computer Forensics World :: View topic - File history - how to determine when and who deleted a file
 Forum FAQForum FAQ   SearchSearch   UsergroupsUsergroups   ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 

File history - how to determine when and who deleted a file

 
Post new topic   Reply to topic    Computer Forensics World Forum Index -> General Computer Forensic Issues
View previous topic :: View next topic  
Author Message
Shraken
Newbie
Newbie


Joined: Mar 03, 2014
Posts: 2

PostPosted: Tue Mar 04, 2014 12:29 am    Post subject: File history - how to determine when and who deleted a file Reply with quote

I have a system where a sensitive folder was deleted, it appears that one of our automated systems could have done this but I also have some remote logon activity (legitimate) or it could have been infact a misclicking user.

This is windows XP, so NTFS file system. The data has since been recovered, at least what was not overwritten already.

Does anyone know of a way for me find the file history before or after recovery?


Thanks,
Back to top
View user's profile
PreferredUser
Newbie
Newbie


Joined: Jan 01, 2007
Posts: 1130
Location: USA

PostPosted: Tue Mar 04, 2014 2:19 am    Post subject: Reply with quote

Probably best to start with creating a timeline from the subject computer. Then look at everything around the time you suspect the incident happened.
Back to top
View user's profile
Shraken
Newbie
Newbie


Joined: Mar 03, 2014
Posts: 2

PostPosted: Tue Mar 04, 2014 3:10 am    Post subject: Reply with quote

Well I have a time for when the user logged off, the files were there.
Shortly after I have a remote connection from a service desk technician browsing to the PC and replacing some desktop shortcuts.

We have a utility (microsoft delprof) that is a user profile cleanup tool that if it was ran on that day would have deleted the folder in question. That department says it runs on a day other than when the data went missing and the logs show 0 files deleted.

And I also have the forensic tech saying that it is impossible to find out what happened to the files because one of the support techs restored the files that went missing.

Either way it doesn't all add-up properly. Was there 5pm, gone at 8am.
I need to definitively be able to see system deleted it @ 7pm when this tool ran out of its scoped hours or I can see a domain user XY deleting it.

*edit*
And to determine if it infact a true statement that the evidence was contaminated because of the restore or if it is a limitation with NTFS.

There is lots of finger pointing and it is a district attorneys computer which makes it extra delicate.

Second *edit* hah.
I can see where the delprof2 executable ran @7pm and the folder was in a directory that it would have looked in, compared the foldername to AD saw it as invalid and deleted it.

I now only need to be able to see on the file itself on the HD a timestamp of when it was deleted.
Back to top
View user's profile
PreferredUser
Newbie
Newbie


Joined: Jan 01, 2007
Posts: 1130
Location: USA

PostPosted: Tue Mar 04, 2014 6:24 am    Post subject: Reply with quote

I meant using a tool like log2timeline or Plaso so you can see all the logs and entries.
Back to top
View user's profile
Display posts from previous:   
Post new topic   Reply to topic    Computer Forensics World Forum Index -> General Computer Forensic Issues All times are GMT + 10 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

Powered by phpBB 2.0.10 © 2001 phpBB Group
phpBB port v2.1 based on Tom Nitzschner's phpbb2.0.6 upgraded to phpBB 2.0.4 standalone was developed and tested by:
ArtificialIntel, ChatServ, mikem,
sixonetonoffun and Paul Laudanski (aka Zhen-Xjell).

Version 2.1 by Nuke Cops 2003 http://www.nukecops.com

Forums ©

 

TMs property of their respective owner. Comments property of posters. 2007 Computer Forensics Science World.
Digital forensic computing news syndication: Computer Forensics Training News or UM Text
Software is copyrighted phpnuke.org (c)2003, and is free under licence agreement. All Rights Are Reserved.