Finding evidence th...
 
Notifications
Clear all

Finding evidence that some files existed

3 Posts
3 Users
0 Reactions
181 Views
(@giuseppem)
Eminent Member
Joined: 8 years ago
Posts: 25
Topic starter  

Hello everyone.

I have a case where it's relevant to demonstrate that some files (for the most part .pdf and .doc) were deleted from a PC. The PC has been used for some years after the event. It's not important to recover the deleted files, but it's crucial to demonstrate that the files were there and has been cancelled. How do you proceed?

Thank you 

Regards


   
Quote
(@jefferson-macedo)
New Member
Joined: 3 weeks ago
Posts: 2
 

@giuseppem,

Since you haven't shared the operating system of the PC under investigation, I’ll assume you’re working on a Windows system. I’m also assuming that you have a forensic image, such as an E01, DD, or raw file, which allows you to navigate through the file system and retrieve relevant artifacts, correct?

Here are some artifacts worth examining:

  1. Recent Files / Jump Lists: Jump Lists store information about recently opened documents in applications like Adobe Reader (PDF) or Microsoft Word (DOC/DOCX). You can find specific file paths and, sometimes, timestamps showing when these files were accessed.

  2. LNK Files (Shortcuts): Windows automatically creates LNK (link) files when a user opens a document. These shortcut files record the file’s path and often contain metadata, such as creation, modification, and last access timestamps, indicating when the file was last opened.

  3. Prefetch Files: Prefetch files track applications executed on a Windows system, including Adobe Reader, Microsoft Word, or other applications used to open PDFs or DOCs. While Prefetch files won’t track specific PDFs or DOCs, they can provide insight into application usage and a timeline when correlated with other artifacts.

  4. UserAssist Registry: This registry key logs user activity, including documents opened via Windows Explorer, which could include PDF and DOC files.

Additionally, I suggest checking out Microsoft’s Security Guidance for Incident Responders: Microsoft Security Incident Response Guide. Combining an understanding of these forensic artifacts with tools such as those developed by Eric Zimmerman will likely help you in your investigation.

I hope this sheds some light on your problem!


   
ReplyQuote
(@mscotgrove)
Prominent Member
Joined: 16 years ago
Posts: 939
 

You are trying to find deleted files on a disk that has since been used for a few years.  Not impossible by extremely unlikely.  When deleted the drive space becomes free for new files who will overwrite the old space.

To try and find file I would suggest data carving as .pdf and .doc both have defined signatures.

 

To see if they ever existed, I would possibly scan the raw disk for the file names, as both UTF8 and unicode.  You may then need to work out any false positives.  Many logs tend to overrwite them selves over a period of time, and years is a long time


   
ReplyQuote
Share: