±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 36768
New Yesterday: 0 Visitors: 107

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

Identity identificacion for deleted files

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Page 1, 2, 3, 4  Next 
  

iruiper
Senior Member
 

Identity identificacion for deleted files

Post Posted: Mar 21, 06 17:50

Hello everybody,

I have just joined this forum because I work in Forensic IT matters, and I am currently working on something I had not faced yet. I would like someone to help me with this, because I believe that some of you have surely done something like this in the past.

My doubt is the next one: is it possible to identify the identity of the user who has deleted a file? Is there a way to do this by examining the registry, or by using EnCase or any other software tool?

Moreover there would be two clearly different situations:
a) A local user deletes a file. Is it possible to identify which user has done it?
b) A folder is network shared. Is it possible to identify which user, or at least from which IP the file has been deleted/cut?

Thank you in advance for your cooperation Smile  
 
  

keydet89
Senior Member
 

Re: Identity identificacion for deleted files

Post Posted: Mar 21, 06 18:03

To answer a), the response is, "yes", with the caveat of "...if the appropriate auditing (or some other monitoring mechanism) were enabled." The same answer _may_ hold true for b).

Harlan  
 
  

iruiper
Senior Member
 

Re: Identity identificacion for deleted files

Post Posted: Mar 21, 06 18:29

Ok... thank you. But, what if no monitoring is implemented? I mean, could I do something if I just had an image of the hard drive involved (a general EnCase/AccessData forensic investigation)?

Thank you so much!  
 
  

arashiryu
Senior Member
 

Re: Identity identificacion for deleted files

Post Posted: Mar 21, 06 19:30

1) For a file deleted locally on the system you can use rifiuti, a free foundstone tool to examine the contents of the recycle bin. It is a command line tool. You will also need sidtoname utility to decode the sid to a user id, that you will see in the reclycle bin.
Second option is if you create a forensic image with free FTK imager and open the image in FTK imager, it will let you examine the recycle bin contents.

2) For file deleted on a network share you need to look for event id 564 in the server's security log. When an object for which successful delete access has been enabled for auditing, Event 564 is logged upon actual deletion. To determine the name of the object deleted look for a prior event 560 with the same handle ID.

Email me offline if you need more help. I have been in this situation plenty of times.  
 
  

iruiper
Senior Member
 

Re: Identity identificacion for deleted files

Post Posted: Mar 21, 06 23:04

Your comments are being very useful! Thank you!

However... how can I analyse that "Security Event Log"? Is there any file I can look into for this kind of info?

Greetings!  
 
  

arashiryu
Senior Member
 

Re: Identity identificacion for deleted files

Post Posted: Mar 21, 06 23:39

Logon to the server where the share is located. Go into control panel then administrative tools. Open up event viewer and choose security log. You can apply the built in filter for the event ids I mentioned earlier.  
 
  

m7esec
Senior Member
 

Re: Identity identificacion for deleted files

Post Posted: Mar 21, 06 23:45

I usually dump the Security Event log using various tools, but a good one if the log is on a network is dumpevt by Somarsoft. This will put it in a comma seperated file which can be easily imported into Excel or any other spreadsheet. You can filter, sort, multi-sort, etc.

Its a free tool as well.
_________________
GSEC, GCFA, GCIH, EnCE
Certified Forensic Examiner
St. Louis, MO 
 

Page 1 of 4
Page 1, 2, 3, 4  Next