±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 1 Overall: 34850
New Yesterday: 8 Visitors: 190

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Webinars

Deleted files & user SID

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Go to page Previous  1, 2 
  

Re: Deleted files & user SID

Post Posted: Mon Dec 03, 2018 4:39 pm

If you are lucky, there may be evidence of the deletion in the $UsnJrnl. This will tell you who did the deleting and also what else was happening around the same time.

Check out:

Re-introducing $UsnJrnl

Jim

www.binarymarkup.com  

JimC
Member
 
 
  

Re: Deleted files & user SID

Post Posted: Tue Dec 04, 2018 5:20 am

- JimC
If you are lucky, there may be evidence of the deletion in the $UsnJrnl. This will tell you who did the deleting and also what else was happening around the same time.


Excellent Smile and summing up everything suggested, besides the specifics, leads us to the *need* for a complete timeline of the system, possibly "augmented" with external data (as an example only, entry card swipes or anyway presence in the office) related to the possible suspects.

In other words, if you can detail the "when", then it might be possible to - if not prove at least - reasonably state with a good level of confidence the "who".

jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 

jaclaz
Senior Member
 
 
  

Re: Deleted files & user SID

Post Posted: Wed Dec 05, 2018 7:49 am

You might want to consider looking at the Windows Event Logs. If you have the ability to sort by the SID, you can look to see if there is a non admin SID that you have not accounted for. You can then look at the log itself to see the user name.  

kastajamah
Member
 
 
  

Re: Deleted files & user SID

Post Posted: Wed Dec 05, 2018 2:43 pm

- JimC
If you are lucky, there may be evidence of the deletion in the $UsnJrnl. This will tell you who did the deleting and also what else was happening around the same time.

Check out:

Re-introducing $UsnJrnl

Jim

www.binarymarkup.com


Thanks a ton, Jim. I found the $J ADS and it is 76 GB... I have some fun digging ahead. Cool  

jparsont03
Newbie
 
 
  

Re: Deleted files & user SID

Post Posted: Thu Dec 06, 2018 3:30 am

- jparsont03
Thanks a ton, Jim. I found the $J ADS and it is 76 GB... I have some fun digging ahead. Cool


Don't know what tool you're using, but there is a pretty good EnScript for parsing out USN journal artefacts if you have EnCase. It has saved me a lot of time in the past! Very Happy  

hectic_forensics
Member
 
 

Page 2 of 2
Go to page Previous  1, 2