Windows File Delete...
 
Notifications
Clear all

Windows File Deleted Dates

7 Posts
5 Users
0 Likes
3,869 Views
(@osgeek)
Posts: 4
New Member
Topic starter
 

Hi Folks!

Aim Provide date of deletion for files on suspects machine.

Steps Performed

1. Create an E01 encase image of the physical hard drive of suspects machine.
2. Run "Recover Folders" in EnCase to recover deleted data.
3. Extract out deleted files based on the "Is Deleted" column in EnCase.

Suspects Machine OS Windows 7
EnCase version used 7.09 & 6.19

Query Need to provide dates on which files have been deleted- Those which have been recovered using "recover folder" option in EnCase.

Also, is it right to say that "Entry Modified Date" is the nearest possible date of deletion. ?

Need your thoughts on this.

If you have any other method using anyother tool or artifacst using which we can ascertain the dates of files deleted, it will be very helpful.

 
Posted : 16/06/2016 12:01 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

Personally, assuming that it is NTFS, I would verify by parsing the $MFT and also have a look at the $logfile
http//www.forensicfocus.com/Forums/viewtopic/t=7970/
https://code.google.com/archive/p/mft2csv
https://github.com/jschicht

jaclaz

 
Posted : 16/06/2016 1:42 pm
(@yunus)
Posts: 178
Estimable Member
 

There is no "deletion date" unless referring to those in the recycle bin.

As for the files not sent to recycle bin, deletion can be interpreted but does not bear any certainty.

As long as one can not guarantee the date-time of the computer was correct during the time of deletion in the past, it can not be ascertained even if you look at the "entry modified".

Also, dates and times are so vulnerable to many other actions like
- moving,
- uploading,
- downloading,
- copying,
- writing into CD and then copying back from CD to pc,
- copying of content into a new template,
- cut and paste content into another file,
- editing,
- alteration of metadata,
- exchange between various platforms,
….

Amongst so many possiblities and without no knowledge of none of these have happened to the file in the past, no date-time can serve as a piece of evidence in itself.

 
Posted : 16/06/2016 11:14 pm
(@osgeek)
Posts: 4
New Member
Topic starter
 

Hi Yunis,

On analysing the $MFT entry we can determine if the file was deleted or not. I wnat to know what dates to rely upon for considering the date of file deletion.

Thanks

 
Posted : 17/06/2016 9:31 pm
(@athulin)
Posts: 1156
Noble Member
 

2. Run "Recover Folders" in EnCase to recover deleted data.

Last time I looked, that operation did not recover deleted data. It recovered deleted metadata (folders), some of which were not 'deleted' in the sense that 'the user deleted it', but rather that 'some action of the user caused file system parameters to change, and as a consequence other things happened that caused this particular folder clusters to be discarded and new ones used instead.

It's one of those operations that are easy to implement, but which can be very difficult to interpret to any degree of detail.

Also, is it right to say that "Entry Modified Date" is the nearest possible date of deletion. ?

Entry Modified is, I think, a poorly documented and researched attribute field. It changes (sometimes, sometimes not) when file metadata is changed (rename, for example), but as far as I understand its relation to deletion is non-proven.

Also, things may depend on what version of NTFS is being used.

If you have any other method using anyother tool or artifacst using which we can ascertain the dates of files deleted, it will be very helpful.

If you can get down at the transactional/file system journalling level, you may be able to. Otherwise I think – though I would like being proved wrong – that you can only get indirect indications that may but do not need to be related to file deletion.

The rest is technical ignore if you like.

From a programmer's point if view, it's likely to be mainly the DeleteFile() and DeleteFileTransacted() system call that actually deletes a file in any particular situation. It seems that it would not be a particularly complex task to do a number of tests of this function, and identify the exact side effects of that call.

However, possibly related calls are the MoveFile() family (is this the equivalent of a Copy() followed by a Delete(), or does it do things in some other way?), ReplaceFile (is this a Delete followed by Copy, or something else?). And I think there may be some form of temporary file creation, that deletes the file when it is finally closed (which also is a form of deletion behavior – can it be distinguished from a user-initiated deletion?). And RemoveDirectory(), unless files are the only objects of interest These are just calls from the Windows File Management groups there is also kernel API and other APIs, such as the Shell functions (for DeleteProfile() or SHFileOperation or …)

Some functions in the File Management group also have implicit deletes, such as Encrypt()/Decrypt() – I'm fairly certain I remember that one of these left a deleted file entry with a distinctive name after invocation. But it's likely to be special cases.

And with Microsoft, undocumented APIs is always a possibility. Does the DaRT toolkit do any magic, for example, or is it 'normal' recovery?

That is, a full investigation of file deletion and its effect on file attributes is likely to be a big job. Testing just DeleteFile(), or possibly the underlying NTDeleteFile()/ZwDeleteFile(), is likely to cover many commons scenarios.

Unless the file system has explicit support for undelete, there's is very little reason to explicitly record file deletion date and time in MFT – it will never be seen again. It makes sense to record it in a transaction log, for file system recovery in case a power failure happens, and possibly as an audit trail for incident analysis, but that's as far as it goes, I think.

 
Posted : 18/06/2016 10:39 am
citizen
(@citizen)
Posts: 38
Eminent Member
 

Are you by chance interested in proving if the data was ever on the media? Or proving what accounts might have had knowledge of said data?

Per the other posters certainly check the USN Journal…
https://msdn.microsoft.com/en-us/library/windows/desktop/aa363801(v=vs.85).aspx

Since you use Encase its pretty easy to setup a view to see the records and bonus they have enscript on their app store for USN parsing.

 
Posted : 22/06/2016 10:51 pm
(@yunus)
Posts: 178
Estimable Member
 

Hi Osgeek,

There is no "deleted date" either in $MFT or in file properties. So you will not see any "deleted date", but you will only be able to see the "deleted date" column for the files which were sent to REcycle bin, in which case the "deleted date" here is the date when the file was sent to the REcycle bin.

So, other than that do not expect to see not any "deleted date" for other occasions of deletion, because there is not any.

 
Posted : 25/06/2016 1:04 am
Share: