±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 2 Overall: 36767
New Yesterday: 4 Visitors: 171

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

Identity identificacion for deleted files

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Page Previous  1, 2, 3, 4  Next 
  

iruiper
Senior Member
 

Re: Identity identificacion for deleted files

Post Posted: Mar 22, 06 14:47

Yes, arashiryu, I had already thought about something like that: maybe metadata of Office documents may help, just to know who was the last person who modified any of the documents, thank you for the advice.

However, what it seems to me a very interesting idea is the one ifindstuffucantfind and koko are commenting: I have been surfing my own registry (I still don't have access to the server I want to analyse) and I can't find that "autosync" registry key. Does anyone know where I could find information about users logging and date/time of those connections? Thank you all!  
 
  

keydet89
Senior Member
 

Re: Identity identificacion for deleted files

Post Posted: Mar 22, 06 17:44

iruiper,

ifindstuffucantfind and koko have the right idea, while their approach might not be the best.

In order to log into a system, a user must have an account on the system. This information is maintained in the SAM portion of the Registry, which isn't normally accessible while the system is live.

On an imaged system, you can derive user information from the SAM file by parsing the V and F structures for each user. For more information on these structures, check out these two blog entries:

windowsir.blogspot.com...osted.html
windowsir.blogspot.com...-from.html

I believe that there is an EnScript that does this sort of thing, but from the output I've seen posted to the Windows Forensic Analysis group on Yahoo, it doesn't include some information displayed by the ProScript I posted.

Hope this helps somewhat...

Harlan  
 
  

keydet89
Senior Member
 

Re: Identity identificacion for deleted files

Post Posted: Mar 22, 06 19:29

ifindstuffucantfind, et al,

Just an FYI about the autosync thing you mentioned...I got interested in it and started doing some research. Unfortunately, I can't do a lot of experimentation, as it seems that this has to do with Active Directory and Group Policies, and the sync'ing of offline files.

This KB article discusses an issue with regards to warnings and XP:
support.microsoft.com/...-us;320139

So, I'm not saying that anyone's wrong or incorrect, just pointing out something to be aware of when looking at this key...

H  
 
  

Thomas
Member
 

Re: Identity identificacion for deleted files

Post Posted: Mar 22, 06 21:14

Hi, if you know from which workstation the files are deleted you can search the "recently used" folders in the profiles of that workstation. If you are lucky, you will find "traces" to the last opened files or folders in one of the user profiles. If there are any "startup cleaning tools" than those traces are also deleted. You then have to use an undelete program, like "recover my files". Good luck! Let us know if you succeed!
_________________
ICT Security Manager, CHFI, CEH, ECSA, Netherlands 
 
  

iruiper
Senior Member
 

Re: Identity identificacion for deleted files

Post Posted: Mar 23, 06 01:29

Wow! I'm learning a lot from you, guys! Thank you. Now I'm involved in an urgent issue and the server with the deleted files will have to wait... but I promise to tell you my experience as soon as I do it Wink  
 
  

koko
Member
 

Re: Identity identificacion for deleted files

Post Posted: Mar 24, 06 22:12

don't know if it helps or is interesting, but if the delete happened the last time that someone logged-in, you could look at modified dates of files in their profile's directory (documents and settings), especially (for certainty) the ones that are system or app related, like index.dat. in fact, if you knew the timeperiod, you could do a search on modified date across the whole hard drive and see who's files were created/edited in your time period. undoubtedly there would be cookies, logfiles, etc. created while you're logged in. if they did any web browsing while logged-in, this should be easy. of course all this assumes that the user wasn't malicious and covered their tracks by changing dates. also, did the person log-in to their email from that machine? if they use caching mode in outlook, you could check dates inside the local .ost or .pst. also, if the person printed something there could be a log in the printer with date and username. there are potentially so many indirect ways.  
 
  

iruiper
Senior Member
 

Re: Identity identificacion for deleted files

Post Posted: Apr 25, 06 13:36

Hi again!

I told you I would comment my progress in this case when I had the time. Well... here I am... and without results!! Very Happy
The system under analysis uses a RAID5 configuration with NTFS. I haven't been able to find ANY of the deleted files or folders with EnCase (they aren't present not even as overwritten!!). Anyone knows why these files and folders don't appear? I mean... shouldn't they be present at least marked as "overwritten"?

Thank you, folks  
 

Page 3 of 4
Page Previous  1, 2, 3, 4  Next