Notifications
Clear all

Deleted files & user SID

12 Posts
6 Users
0 Reactions
6,351 Views
(@jparsont03)
Active Member
Joined: 8 years ago
Posts: 7
Topic starter  

If you are lucky, there may be evidence of the deletion in the $UsnJrnl. This will tell you who did the deleting and also what else was happening around the same time.

Check out

Re-introducing $UsnJrnl

Jim

www.binarymarkup.com

Thanks a ton, Jim. I found the $J ADS and it is 76 GB… I have some fun digging ahead. 8)


   
ReplyQuote
hectic_forensics
(@hectic_forensics)
Eminent Member
Joined: 7 years ago
Posts: 40
 

Thanks a ton, Jim. I found the $J ADS and it is 76 GB… I have some fun digging ahead. 8)

Don't know what tool you're using, but there is a pretty good EnScript for parsing out USN journal artefacts if you have EnCase. It has saved me a lot of time in the past! D


   
ReplyQuote
Page 2 / 2
Share: