±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 2 Overall: 36767
New Yesterday: 4 Visitors: 165

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

Identity identificacion for deleted files

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Page Previous  1, 2, 3, 4  Next 
  

keydet89
Senior Member
 

Re: Identity identificacion for deleted files

Post Posted: Mar 22, 06 00:19

iruiper,

arashiryu's comments are good ones, but there are a couple of caveats.

First, rifiuti only works if the file had been deleted in a manner that deposits it in the Recycle Bin. Using the "del" command from the command prompt bypasses the Recycle Bin.

Second, looking for the event IDs is a good idea, but a waste of time if the appropriate auditing hasn't been enabled.

Harlan  
 
  

iruiper
Senior Member
 

Re: Identity identificacion for deleted files

Post Posted: Mar 22, 06 00:25

Yes... I have just realized that sometimes the Event Logger isn't activated... as in the case I'm working on!! Very Happy

Any other suggestions then??  
 
  

arashiryu
Senior Member
 

Re: Identity identificacion for deleted files

Post Posted: Mar 22, 06 01:48

I recommend you get auditing turned on right away on the server and the client workstations. At least security related events like logon, logoff etc...

You might wanna get forensic image of the server and the workstations in question and process them with some forensics tools.  
 
  

iruiper
Senior Member
 

Re: Identity identificacion for deleted files

Post Posted: Mar 22, 06 02:32

Yeah! I know that's what it should have been done... but it's not my server (it's the client's), I just have to do the forensic investigation. That's why I wanted to know if any of you have any methodology for this situation that there's not any log; just the EnCase image is available. Once more (sorry for being such a pain :D) does anyone have any suggestion (about tools, methodology for this kind of investigation)?

Anyway... thank you all folks for being so collaborative!! Wink  
 
  

arashiryu
Senior Member
 

Re: Identity identificacion for deleted files

Post Posted: Mar 22, 06 03:18

With no event logs and the correlation you are looking for, this is going to take some effort.

I would at least start working in EnCase meanwhile.

Let EnCase recover/carve out the deleted files and see if you can get any metadata from the recovered files.  
 
  

ifindstuffucantfind
Newbie
 

Re: Identity identificacion for deleted files

Post Posted: Mar 22, 06 04:03

this may not help, but in windows 2000 the registry uses 'autosync' to keep track of when a user last logged into the system. so say that the user logged in and deleted a bunch of stuff and never logs in again. autosync can show the last time that user was logged in and hopefully he deleted the files during that time.  
 
  

koko
Member
 

Re: Identity identificacion for deleted files

Post Posted: Mar 22, 06 04:12

another way to go about this is if you can check who was logged-in to the system when the files were deleted. relying of course on whether you can get the datetime they were deleted. i suppose you would need auditing turned on for all this. but maybe there are other ways. does anyone know if the domain controller stores info about user log-in events, etc.?
anyway, just an idea, i thought i'd float...  
 

Page 2 of 4
Page Previous  1, 2, 3, 4  Next