Identity identifica...
 
Notifications
Clear all

Identity identificacion for deleted files

23 Posts
8 Users
0 Likes
1,125 Views
iruiper
(@iruiper)
Posts: 145
Estimable Member
Topic starter
 

Hello everybody,

I have just joined this forum because I work in Forensic IT matters, and I am currently working on something I had not faced yet. I would like someone to help me with this, because I believe that some of you have surely done something like this in the past.

My doubt is the next one is it possible to identify the identity of the user who has deleted a file? Is there a way to do this by examining the registry, or by using EnCase or any other software tool?

Moreover there would be two clearly different situations
a) A local user deletes a file. Is it possible to identify which user has done it?
b) A folder is network shared. Is it possible to identify which user, or at least from which IP the file has been deleted/cut?

Thank you in advance for your cooperation )

 
Posted : 21/03/2006 4:50 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

To answer a), the response is, "yes", with the caveat of "…if the appropriate auditing (or some other monitoring mechanism) were enabled." The same answer _may_ hold true for b).

Harlan

 
Posted : 21/03/2006 5:03 pm
iruiper
(@iruiper)
Posts: 145
Estimable Member
Topic starter
 

Ok… thank you. But, what if no monitoring is implemented? I mean, could I do something if I just had an image of the hard drive involved (a general EnCase/AccessData forensic investigation)?

Thank you so much!

 
Posted : 21/03/2006 5:29 pm
arashiryu
(@arashiryu)
Posts: 122
Estimable Member
 

1) For a file deleted locally on the system you can use rifiuti, a free foundstone tool to examine the contents of the recycle bin. It is a command line tool. You will also need sidtoname utility to decode the sid to a user id, that you will see in the reclycle bin.
Second option is if you create a forensic image with free FTK imager and open the image in FTK imager, it will let you examine the recycle bin contents.

2) For file deleted on a network share you need to look for event id 564 in the server's security log. When an object for which successful delete access has been enabled for auditing, Event 564 is logged upon actual deletion. To determine the name of the object deleted look for a prior event 560 with the same handle ID.

Email me offline if you need more help. I have been in this situation plenty of times.

 
Posted : 21/03/2006 6:30 pm
iruiper
(@iruiper)
Posts: 145
Estimable Member
Topic starter
 

Your comments are being very useful! Thank you!

However… how can I analyse that "Security Event Log"? Is there any file I can look into for this kind of info?

Greetings!

 
Posted : 21/03/2006 10:04 pm
arashiryu
(@arashiryu)
Posts: 122
Estimable Member
 

Logon to the server where the share is located. Go into control panel then administrative tools. Open up event viewer and choose security log. You can apply the built in filter for the event ids I mentioned earlier.

 
Posted : 21/03/2006 10:39 pm
m7esec
(@m7esec)
Posts: 45
Eminent Member
 

I usually dump the Security Event log using various tools, but a good one if the log is on a network is dumpevt by Somarsoft. This will put it in a comma seperated file which can be easily imported into Excel or any other spreadsheet. You can filter, sort, multi-sort, etc.

Its a free tool as well.

 
Posted : 21/03/2006 10:45 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

iruiper,

arashiryu's comments are good ones, but there are a couple of caveats.

First, rifiuti only works if the file had been deleted in a manner that deposits it in the Recycle Bin. Using the "del" command from the command prompt bypasses the Recycle Bin.

Second, looking for the event IDs is a good idea, but a waste of time if the appropriate auditing hasn't been enabled.

Harlan

 
Posted : 21/03/2006 11:19 pm
iruiper
(@iruiper)
Posts: 145
Estimable Member
Topic starter
 

Yes… I have just realized that sometimes the Event Logger isn't activated… as in the case I'm working on!! D

Any other suggestions then??

 
Posted : 21/03/2006 11:25 pm
arashiryu
(@arashiryu)
Posts: 122
Estimable Member
 

I recommend you get auditing turned on right away on the server and the client workstations. At least security related events like logon, logoff etc…

You might wanna get forensic image of the server and the workstations in question and process them with some forensics tools.

 
Posted : 22/03/2006 12:48 am
Page 1 / 3
Share: