Notifications
Clear all
General (Technical, Procedural, Software, Hardware etc.)
12
Posts
6
Users
0
Reactions
6,351
Views
Topic starter
05/12/2018 9:43 pm
If you are lucky, there may be evidence of the deletion in the $UsnJrnl. This will tell you who did the deleting and also what else was happening around the same time.
Check out
Re-introducing $UsnJrnl Jim
www.binarymarkup.com
Thanks a ton, Jim. I found the $J ADS and it is 76 GB… I have some fun digging ahead. 8)
06/12/2018 10:30 am
Thanks a ton, Jim. I found the $J ADS and it is 76 GB… I have some fun digging ahead. 8)
Don't know what tool you're using, but there is a pretty good EnScript for parsing out USN journal artefacts if you have EnCase. It has saved me a lot of time in the past! D
Page 2 / 2
Prev