Who/what deleted th...
 
Notifications
Clear all

Who/what deleted the files?

16 Posts
7 Users
0 Likes
1,427 Views
(@phranquey)
Posts: 10
Active Member
Topic starter
 

Hi All

I have been working on a case where the user claims to have no idea how a large set of files have been deleted from his desktop.
The UsrJrnl shows the files being deleted in sequence and from different folders(The folders were not deleted). There is evidence to show user activity just seconds before the deletion and the user put their laptop to sleep seconds after the deletion. There is no indication of any application(malware or otherwise) being executed around the time of deletion. No sign of any rogue user either.
Everything points to the user other than the way the files were deleted. The timestamps in the Usrjrnl tells me it was a mass deletion, probably triggered once, that took care of many files in different folders in a very short time and not the selective and manual way in which a user would normally delete files by opening each folder then highlighting the files and then deleting them.
Also note that the deletion bypassed the recycle bin.
What am I missing? How do files get deleted sequentially from different folders (without deleting the folders) without the use of a program?

Any thoughts and suggestions are most welcomed.

 
Posted : 21/10/2016 8:48 am
(@chris55728)
Posts: 49
Eminent Member
 

Hi Phranquey,

You don't explain the actual folder layout on the desktop so I'm making assumptions below.

Assuming all the folders in question are sitting underneath a single folder under the 'Desktop' folder the easiest way I can see to do it is as follows. Assuming 'My Stuff' is the folder in question.

Desktop
Desktop\My Stuff
Desktop\My Stuff\Folder 1
Desktop\My Stuff\Folder 2
Desktop\My Stuff\Folder 3
Desktop\My Stuff\Folder 4
Desktop\My Stuff\Folder 5
Desktop\My Stuff\Folder 6

Go into the 'My Stuff' folder using Windows Explorer. In the search box (top right in Windows Explorer) put an *, this will then show all files and folders in and under the 'My Stuff' folder. Order by 'Type' and SHIFT+DELETE all the files to bypass the Recycle Bin.

Desktop
Desktop\Folder 1
Desktop\Folder 2
Desktop\Folder 3
Desktop\Folder 4
Desktop\Folder 5
Desktop\Folder 6

If the folders are individual folders on the 'Desktop' (as above), go into the 'Desktop' folder using Windows Explorer, CTRL + left mouse click 'Folder 1', 'Folder 2', etc. Put an * in the search box, this will then show all files and nested folders in the selected folders. Order by 'Type' and SHIFT+DELETE all the files to bypass the Recycle Bin.

Hope that makes sense. So much easier to actually do than explain in words!!

 
Posted : 21/10/2016 11:11 am
passcodeunlock
(@passcodeunlock)
Posts: 792
Prominent Member
 

It could been manually deleted files as described in the above reply, but it could been also a batch deletion.

If it was on purpose, most probably the batch file was deleted also, I would carve for it.

The batch file could be on any media, like pendrive, external usb disk, etc. so don't focus only on the main device!

 
Posted : 21/10/2016 2:21 pm
joakims
(@joakims)
Posts: 224
Estimable Member
 

You mentioned "sleep" and "usnjrnl", so I assume this is Windows system running on an NTFS volume. A few things that could be worth analyzing
$LogFile
hiberfil.sys

What version of Windows is this?

 
Posted : 21/10/2016 2:39 pm
BraindeadVirtually
(@braindeadvirtually)
Posts: 115
Estimable Member
 

Since you mention UsnJrnl I'm assuming NTFS and therefore more specifically Windows 8 or 10 is the OS in question. To batch delete (and properly delete) files in later versions of Windows you can use something like this from command prompt

robocopy C\SomeEmptyFolder C\FolderOfStuffToDelete /e /tee /MIR

Which will copy over the 'contents' of SomeEmptyFolder to FolderOfStuffToDelete, overwriting all and anything in FolderOfStuffToDelete and, in this instance, copying nothing into its place. What it will do is leave the folder and subfolders intact, but with no contents. It will blast over almost anything in its path, including locked files (useful sometimes).

Robocopy is, of course, built into all verisons of Windows since 7 (and was available via Sysinternals for XP before that) so you'd expect to find it in system32. Question is, how technical is the former user of this computer?

 
Posted : 21/10/2016 2:55 pm
(@phranquey)
Posts: 10
Active Member
Topic starter
 

Thanks to all of you who have responded so quickly! I will try to respond to all of your questions and queries.

1. Chris55728 Yes the folder structure looked like the following

Desktop
Desktop\Folder 1
Desktop\Folder 2
Desktop\Folder 3
Desktop\Folder 4
Desktop\Folder 5
Desktop\Folder 6

Data was deleted from the folders and subfolders….even some desktop shortcut items were deleted. I tried Chris55728's method and indeed he could have deleted them that way. As far as I remember there is a log that stores explorer search items? Are those in the windows.edb file? I have had mixed results trying to parse that in the past.

2. passcodeunlock THanks I will carve for the batch file and see what I find.

3. joakims It is a windows 7 Machine. I already checked $LogFile but I am interested in your hyberfil.sys suggestion. What nuggets can I find in there to help me in this case?

4. redcat yes I am aware of robocopy and I checked for the execution of command prompt or any other application with the potential to initiate a delete command but have not seen anything.
According to I.T. the user does not strike them as being very technical at all but it does not take that much to find out how to do things on a computer nowadays once you have the right motive.

Thanks again for your help!

 
Posted : 21/10/2016 8:25 pm
joakims
(@joakims)
Posts: 224
Estimable Member
 

It really depends if the system was put into sleep or hibernation mode. You mentioned sleep, but it is sometimes mixed up with hibernation, which is the reason I mentioned it. If it is in fact sleep, then nothing of that filedelete operation can be expected to be found in hiberfil.sys. If not, then it is certainly worth looking into hiberfil.sys. What you would do is convert the hibernation file into a raw memory dump file, and then use something like Volatility to analyze the dump file. It is amazing how much can be found there, for instance command line parameters.. If you had a memory dump, you could do the same thing.

And regarding $LogFile. There was no filesystem transactions around the deletion time that gave more clues?

 
Posted : 22/10/2016 1:09 am
(@phranquey)
Posts: 10
Active Member
Topic starter
 

Hi Joakims

Yes it sleeps on lid close which is the event that is recorded. Unless windows itself is loosely using the word sleep as well in their description of the event. The logfile does not have much data for that period of time at all therefore the data is not of much use as far as I can see. In a perfect world windows 7 would have explicit delete logs which tells us that a user interacted with the computer and selected DELETE……or not.

 
Posted : 22/10/2016 3:36 am
(@phranquey)
Posts: 10
Active Member
Topic starter
 

Hi All

Any further ideas on this one?

 
Posted : 25/10/2016 7:01 am
MDCR
 MDCR
(@mdcr)
Posts: 376
Reputable Member
 

Check logs. Even if they don't say who deleted what, they can tell you what accounts wasn't used.

 
Posted : 25/10/2016 4:41 pm
Page 1 / 2
Share: