Okay, this seems simple enough. We want an exportable list all the deleted files (whether recoverable or not) in a sort'able/chronological order. The idea is to show intent to delete evidence on or about a certain date.
We've tried numerous software titles (except EnCase and FTK), and none can export a list of deleted files with dates (last modified). We've tired recovering the files and creating a listing of them, however, the recovery results in only 50% of the total deleted files.
Is anyone aware of a method to pipe/export deleted files to a sort'able list?
First, show intent? If that is your goal hire a professional, because intent, eeek. Otherwise your case will be over before you start. If you are just looking for info read on.
Obviously this is very easy in EnCase, FTK, X-Ways Forensics, ProDiscover, etc., but I am guessing, and only guessing, that you do not want to spend money on this theoretical project and are looking for an open source tool? Have you looked into The Sleuth Kit? Many evidence search techniques available, but not a tool that you are going to sit down with and master in a few hours.
You probably already know this, but oftentimes file properties are not recovered with their associated deleted file. I use FTK, EnCase, and WinHex and I found that to be the case in each of them. As far as intent goes, that's difficult but I've had luck looking at log files, registry files, and any back-up files to find data suggestive of what may have been going on with the files before it was deleted. Though this is usually very time consuming.
-Dawson
DirectorySnoop "export to *.csv"
First, show intent? If that is your goal hire a professional, because intent, eeek. Otherwise your case will be over before you start. If you are just looking for info read on.
Obviously this is very easy in EnCase, FTK, X-Ways Forensics, ProDiscover, etc., but I am guessing, and only guessing, that you do not want to spend money on this theoretical project and are looking for an open source tool? Have you looked into The Sleuth Kit? Many evidence search techniques available, but not a tool that you are going to sit down with and master in a few hours.
X-Ways and ProDiscover don't do it - we've got both. FLS (in Sleuth Kit) was recommended by another colleague but we've been unable to get the results we need from it. Because you've mentioned it, I think we'll go back and spend some more time on it - maybe we've missed something.
Thanks
DirectorySnoop "export to *.csv"
Hmmm this looks like its got potential. I'm downloading the demo now. I will update on my progress.
Thanks!
X-Ways and ProDiscover don't do it
I do not have PD with me, but in X-Ways, when you highlight or check the files, right-click and select "Export List" and you select the name and then select the fields in the Export list dialog box, that is not what you want?
Just an update. DirectorySnoop provided exactly what was needed. All that is needed is a validation of the product to ensure it's results are comparable to other tools we're using. Thanks again for the tip.