Notifications
Clear all

Deleted files & user SID

12 Posts
6 Users
0 Likes
4,242 Views
(@jparsont03)
Posts: 7
Active Member
Topic starter
 

I am working on a project where I've been requested to prove that a certain user deleted files from a Windows PC. The PC is running Vista. I took a forensic image of the machine and I am examining in FTK 6.4.

I have recovered ~4,000 files deleted from the machine, but only 637 of these were located in the $RECYCLE.BIN folder. The rest are marked as deleted but do not have an instance in the $RECYCLE.BIN. That being said, I can only confirm the user's SID for the 637 files located in the correlating SID folder within the $RECYCLE.BIN.

I have checked the metadata for a number of these ~3,000 files and they seem to have multiple NTFS Access Control Entries, at least 3 users per file all including the user I am looking for. 2 of these are the known DEFAULT Administrators and SYSTEM SIDs (S-1-5-32-544 and S-1-5-18) and the third is the main user.

Is this enough evidence to prove that the main user deleted the files, as he was the only 'real' user with access? Or can this only offer plausible evidence? I have found conflicting information online and am having trouble finding direct laws addressing this.

Thank you for any advice.

 
Posted : 03/12/2018 4:19 pm
(@athulin)
Posts: 1156
Noble Member
 

Is this enough evidence to prove that the main user deleted the files, as he was the only 'real' user with access?

How did you establish that? That is, that there was no second user at the time of deletion, who has since been removed?

It doesn't sound like it does prove anything.

Why are you looking at the files? They will only tell you if the Delete permission had been enabled for them. There's also the 'Delete Subfolders and Files permission to be taken into account. And, I think, also Modify for the directory that contains the relevant file. And perhaps also directory traversal permissions …

Without diving deeply into my Windows sysadmin reference books, it seems that you really want to know at the time of deletion, what users existed on the system? what groups did they belong to? and what permissions did those users or groups have on the relevant directories at that time. And … if there was no explicit permission, was there any inherited permission (allow or deny)?

If list of users has changed since, or list of groups or group members have changed, or access right for the relevant directories (remember those inherited permissions) have changed since, you need other evidence than what the file system can tell you, as you don't have state at time of deletion. (Though there may be some way around that that I can't think of right now.)

Administrators are a minor nuisance, but they also need to be covered. An Admin (i.e. someone with Full Rights or Take Ownership Right and perhaps one or two more rights) can always take ownership of a file system object. And there are some scenarios involving users with the rights to give others ownership to their files that might need to be covered as well, especially if such users are no longer active on the system.

I don't touch on plausibility at all – that's a matter of observation and statistics as far as I understand the term. Only on technical possibility.

I'm sure I've got something wrong – this area of NTFS always made my head ache.

 
Posted : 03/12/2018 6:53 pm
(@jparsont03)
Posts: 7
Active Member
Topic starter
 

Why are you looking at the files? They will only tell you what rights users/groups had to perform read/write/etc. on the files themselves. Right to delete seems to have been added as such a special permission (?).

A file deletion is also a modification of the parent directory. You probably also need to check that who had the right to modify the the *directory* that referenced the relevant MFT entry.

Without diving deeply into my Windows sysadmin reference books, it seems that you really want to know at the time of deletion, what users existed on the system? what groups did they belong to? and what access rights did those users or groups have on the relevant directories at that time. And … if there was no explicit permission, was there any inherited permission (allow or deny)?

If list of users has changed since, or list of groups or group members have changed, or access right for the relevant directories (remember those inherited permissions) have changed since, you need other evidence than what the file system can tell you, as you don't have state at time of deletion. (Though there may be some way around that that I can't think of right now.)

Administrators are a minor nuisance, but they also need to be covered. An Admin (i.e. someone with Full Rights or Take Ownership Right and perhaps one or two more rights) can always take ownership of a file system object. And there are some scenarios involving users with the rights to give others ownership to their files that might need to be covered as well, especially if such users are no longer active on the system.

Thank you for your response, athulin. I see that there is deeper analysis necessary here. Regarding time of deletion - checking the users/groups/rights on the system at a certain point in time, or over a date range. Can records such as these for certain time periods be found in the Registry, or is this more of a question for the machine's IT administrator?

I believe once I am able to determine the existing users in the decided time frame, and their access rights/permissions, I can narrow this down to the possibility that any of the users with access rights/permissions could have deleted the files. But to narrow this down further and prove that one certain user deleted the files is difficult (or impossible?) without having been there at the time of deletion. Am I on the right track?

Note - I have identified two main folders that all 'non-$RECYCLE.BIN' deleted files resided in. These two folders all contain NTFS Access Control Entries for the three users outlined above - SYSTEM, Administrators, and the main user. These users all have read/write/delete/change permissions/change ownership rights to these folders.

 
Posted : 03/12/2018 7:15 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

Administrators are a minor nuisance, but they also need to be covered.

A very interesting sentence (if taken out of context) wink D

@jparsont03
Besides what athulin suggested, there is also another possibility (not to put you down in any way), the machine could (unless some particular preventing measures were taken) have been booted from another OS (think of a bootable CD/DVD or USB stick) like a PE or a Linux distro to perform the deletion (and BTW this would be as well compatible with a number of deleted files "outside" the Recycle Bin) . ?

For these deleted files outside the Recycle Bin, I doubt you can prove exactly when they were deleted [1] ? , so it would be difficult to know (let alone prove) which user was logged in at the time of the deletion.

jaclaz

[1] maybe you could establish some "not before than" and some "no later than" thresholds, but they would be probably very "loose"

 
Posted : 03/12/2018 7:34 pm
(@athulin)
Posts: 1156
Noble Member
 

Regarding time of deletion - checking the users/groups/rights on the system at a certain point in time, or over a date range. Can records such as these for certain time periods be found in the Registry, or is this more of a question for the machine's IT administrator?

Registry – only if you have access to registry at the relevant time, for example by backup or shadow copy or such. Audit logs would be the normal place to look for traces, but I believe the relevant logging needs to be enabled first. (Obvious 'forensic readiness' issue.)

But to narrow this down further and prove that one certain user deleted the files is difficult (or impossible?) without having been there at the time of deletion.

'Prove' in the technical sense based on NTFS info alone. In the legal sense … I leave that to experts on just what rules of evidence you operate under.

But you may have well-configured audit logs that show that only this user was logged in at the time. That would probably strengthen the case against that user. You may have something else of equal value. (For some jobs I used to find logs from the antivirus system saying exactly the time and the logged in user for various AV activities … very useful info.)

Other weird ideas
Batch jobs? Set up to go off at a particular time, and impersonating the suspected user? Technically possible … but …

Added And with Vista you may still have last access time stamps enabled, which might be useful in some circumstances.

 
Posted : 03/12/2018 7:45 pm
(@jparsont03)
Posts: 7
Active Member
Topic starter
 

Administrators are a minor nuisance, but they also need to be covered.

A very interesting sentence (if taken out of context) wink D

@jparsont03
Besides what athulin suggested, there is also another possibility (not to put you down in any way), the machine could (unless some particular preventing measures were taken) have been booted from another OS (think of a bootable CD/DVD or USB stick) like a PE or a Linux distro to perform the deletion (and BTW this would be as well compatible with a number of deleted files "outside" the Recycle Bin) . ?

For these deleted files outside the Recycle Bin, I doubt you can prove exactly when they were deleted [1] ? , so it would be difficult to know (let alone prove) which user was logged in at the time of the deletion.

jaclaz

[1] maybe you could establish some "not before than" and some "no later than" thresholds, but they would be probably very "loose"

I absolutely did not take any offense jaclaz! I really appreciate the information. As my username states, I am a relative 'newbie'. I did not even consider the notion that the user booted into the system with another OS to perform deletions.

If this were the case, this would be difficult to prove as well. I have a record of what removable devices were attached to the machine, but whether or not it was booted to another OS wouldn't be recorded anywhere that I'm able to access if I understand correctly. So, unless I'm able to make a breakthrough with athulin's suggestions, the only evidence that can be technically proven deleted by the user is that in his respective Recycle Bin. For the remaining files, I'll outline some of these possible scenarios making proof difficult in my report.

Thanks a ton!

 
Posted : 03/12/2018 7:49 pm
(@jparsont03)
Posts: 7
Active Member
Topic starter
 

Regarding time of deletion - checking the users/groups/rights on the system at a certain point in time, or over a date range. Can records such as these for certain time periods be found in the Registry, or is this more of a question for the machine's IT administrator?

Registry – only if you have access to registry at the relevant time, for example by backup or shadow copy or such. Audit logs would be the normal place to look for traces, but I believe the relevant logging needs to be enabled first. (Obvious 'forensic readiness' issue.)

But to narrow this down further and prove that one certain user deleted the files is difficult (or impossible?) without having been there at the time of deletion.

'Prove' in the technical sense based on NTFS info alone. In the legal sense … I leave that to experts on just what rules of evidence you operate under.

But you may have well-configured audit logs that show that only this user was logged in at the time. That would probably strengthen the case against that user. You may have something else of equal value. (For some jobs I used to find logs from the antivirus system saying exactly the time and the logged in user for various AV activities … very useful info.)

Other weird ideas
Batch jobs? Set up to go off at a particular time, and impersonating the suspected user? Technically possible … but …

Added And with Vista you may still have last access time stamps enabled, which might be useful in some circumstances.

Thanks again, athulin. This gives me a lot to contemplate and work with. Cheers.

 
Posted : 03/12/2018 8:01 pm
JimC
 JimC
(@jimc)
Posts: 86
Estimable Member
 

If you are lucky, there may be evidence of the deletion in the $UsnJrnl. This will tell you who did the deleting and also what else was happening around the same time.

Check out

Re-introducing $UsnJrnl

Jim

www.binarymarkup.com

 
Posted : 03/12/2018 10:39 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

If you are lucky, there may be evidence of the deletion in the $UsnJrnl. This will tell you who did the deleting and also what else was happening around the same time.

Excellent ) and summing up everything suggested, besides the specifics, leads us to the *need* for a complete timeline of the system, possibly "augmented" with external data (as an example only, entry card swipes or anyway presence in the office) related to the possible suspects.

In other words, if you can detail the "when", then it might be possible to - if not prove at least - reasonably state with a good level of confidence the "who".

jaclaz

 
Posted : 04/12/2018 11:20 am
kastajamah
(@kastajamah)
Posts: 109
Estimable Member
 

You might want to consider looking at the Windows Event Logs. If you have the ability to sort by the SID, you can look to see if there is a non admin SID that you have not accounted for. You can then look at the log itself to see the user name.

 
Posted : 05/12/2018 1:49 pm
Page 1 / 2
Share: