Deleted file - Time...
 
Notifications
Clear all

Deleted file - Time stamp

7 Posts
4 Users
0 Likes
2,654 Views
(@michelle007)
Posts: 14
Active Member
Topic starter
 

hiii,

Just want to whether we can see when the file was deleted ( Deleted file time stamp) on FAT and NTFS file system forensically?

We have Encase 7.1 and FTK 5.6 forensic suite with us.

 
Posted : 19/05/2015 9:43 am
(@mscotgrove)
Posts: 938
Prominent Member
 

Have you tried deleting a file from a NTFS and a FAT32 disk?

What conclusion did you reach?

Did you examine the MFT entry and the FAT32 directory entry with a Hex editor before and after deleting?

 
Posted : 19/05/2015 1:44 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

Just want to whether we can see when the file was deleted ( Deleted file time stamp) on FAT and NTFS file system forensically?

Possibly, yes.

We have Encase 7.1 and FTK 5.6 forensic suite with us.

Neither of which you need to do this.

 
Posted : 21/05/2015 4:42 pm
(@michelle007)
Posts: 14
Active Member
Topic starter
 

@keydet89 .. plz tell me how?

 
Posted : 22/05/2015 2:31 pm
(@mscotgrove)
Posts: 938
Prominent Member
 

You need to look at two possible areas.

1) The directory entry for FAT32 and the MFT entry for NTFS, before and after the file has been deleted. Do the embedded dates change (nb MFT has several dates in the record). A good hex viewer is required along with the structure of the FAT32 entry, and MFT

2) Event logs and shadow copies. Do these have the required information?

It is possible there may be further areas to investigate.

 
Posted : 22/05/2015 6:32 pm
(@michelle007)
Posts: 14
Active Member
Topic starter
 

@mscotgrove. Thanks , surely will check it out.

 
Posted : 24/05/2015 9:31 am
zoltandfw
(@zoltandfw)
Posts: 27
Eminent Member
 

You can not find out when a file was deleted in FAT relying only on the file system metadata. If you look at the directory entries in FAT, you can see the file that was deleted by locating the partial file name that should start with E5. Look for the starting cluster of that deleted file and see if there is another , still allocated, file with the same starting cluster. If there is, then the file in question was deleted before the allocated file with same starting cluster was created. That is the closest you will get relying only on the file system.

With NTFS, you can examine the MFT Journal in order to identify the deletion time. You can give triforce tool a try to see if that is what you'll need unless you have other artifacts like the recycle bin.

 
Posted : 24/05/2015 11:47 pm
Share: