±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 2 Overall: 35886
New Yesterday: 2 Visitors: 148

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

Deleted files & user SID

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Page Previous  1, 2 
  

JimC
Senior Member
 

Re: Deleted files & user SID

Post Posted: Dec 03, 18 23:39

If you are lucky, there may be evidence of the deletion in the $UsnJrnl. This will tell you who did the deleting and also what else was happening around the same time.

Check out:

Re-introducing $UsnJrnl

Jim

www.binarymarkup.com  
 
  

jaclaz
Senior Member
 

Re: Deleted files & user SID

Post Posted: Dec 04, 18 12:20

- JimC
If you are lucky, there may be evidence of the deletion in the $UsnJrnl. This will tell you who did the deleting and also what else was happening around the same time.


Excellent Smile and summing up everything suggested, besides the specifics, leads us to the *need* for a complete timeline of the system, possibly "augmented" with external data (as an example only, entry card swipes or anyway presence in the office) related to the possible suspects.

In other words, if you can detail the "when", then it might be possible to - if not prove at least - reasonably state with a good level of confidence the "who".

jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 
 
  

kastajamah
Senior Member
 

Re: Deleted files & user SID

Post Posted: Dec 05, 18 14:49

You might want to consider looking at the Windows Event Logs. If you have the ability to sort by the SID, you can look to see if there is a non admin SID that you have not accounted for. You can then look at the log itself to see the user name.  
 
  

jparsont03
Newbie
 

Re: Deleted files & user SID

Post Posted: Dec 05, 18 21:43

- JimC
If you are lucky, there may be evidence of the deletion in the $UsnJrnl. This will tell you who did the deleting and also what else was happening around the same time.

Check out:

Re-introducing $UsnJrnl

Jim

www.binarymarkup.com


Thanks a ton, Jim. I found the $J ADS and it is 76 GB... I have some fun digging ahead. Cool  
 
  

hectic_forensics
Member
 

Re: Deleted files & user SID

Post Posted: Dec 06, 18 10:30

- jparsont03
Thanks a ton, Jim. I found the $J ADS and it is 76 GB... I have some fun digging ahead. Cool


Don't know what tool you're using, but there is a pretty good EnScript for parsing out USN journal artefacts if you have EnCase. It has saved me a lot of time in the past! Very Happy  
 

Page 2 of 2
Page Previous  1, 2