Hello everybody,
I have just joined this forum because I work in Forensic IT matters, and I am currently working on something I had not faced yet. I would like someone to help me with this, because I believe that some of you have surely done something like this in the past.
My doubt is the next one is it possible to identify the identity of the user who has deleted a file? Is there a way to do this by examining the registry, or by using EnCase or any other software tool?
Moreover there would be two clearly different situations
a) A local user deletes a file. Is it possible to identify which user has done it?
b) A folder is network shared. Is it possible to identify which user, or at least from which IP the file has been deleted/cut?
Thank you in advance for your cooperation )
To answer a), the response is, "yes", with the caveat of "…if the appropriate auditing (or some other monitoring mechanism) were enabled." The same answer _may_ hold true for b).
Harlan
Ok… thank you. But, what if no monitoring is implemented? I mean, could I do something if I just had an image of the hard drive involved (a general EnCase/AccessData forensic investigation)?
Thank you so much!
1) For a file deleted locally on the system you can use rifiuti, a free foundstone tool to examine the contents of the recycle bin. It is a command line tool. You will also need sidtoname utility to decode the sid to a user id, that you will see in the reclycle bin.
Second option is if you create a forensic image with free FTK imager and open the image in FTK imager, it will let you examine the recycle bin contents.
2) For file deleted on a network share you need to look for event id 564 in the server's security log. When an object for which successful delete access has been enabled for auditing, Event 564 is logged upon actual deletion. To determine the name of the object deleted look for a prior event 560 with the same handle ID.
Email me offline if you need more help. I have been in this situation plenty of times.
Your comments are being very useful! Thank you!
However… how can I analyse that "Security Event Log"? Is there any file I can look into for this kind of info?
Greetings!
Logon to the server where the share is located. Go into control panel then administrative tools. Open up event viewer and choose security log. You can apply the built in filter for the event ids I mentioned earlier.
I usually dump the Security Event log using various tools, but a good one if the log is on a network is dumpevt by Somarsoft. This will put it in a comma seperated file which can be easily imported into Excel or any other spreadsheet. You can filter, sort, multi-sort, etc.
Its a free tool as well.
iruiper,
arashiryu's comments are good ones, but there are a couple of caveats.
First, rifiuti only works if the file had been deleted in a manner that deposits it in the Recycle Bin. Using the "del" command from the command prompt bypasses the Recycle Bin.
Second, looking for the event IDs is a good idea, but a waste of time if the appropriate auditing hasn't been enabled.
Harlan
Yes… I have just realized that sometimes the Event Logger isn't activated… as in the case I'm working on!! D
Any other suggestions then??
I recommend you get auditing turned on right away on the server and the client workstations. At least security related events like logon, logoff etc…
You might wanna get forensic image of the server and the workstations in question and process them with some forensics tools.
Yeah! I know that's what it should have been done… but it's not my server (it's the client's), I just have to do the forensic investigation. That's why I wanted to know if any of you have any methodology for this situation that there's not any log; just the EnCase image is available. Once more (sorry for being such a pain D) does anyone have any suggestion (about tools, methodology for this kind of investigation)?
Anyway… thank you all folks for being so collaborative!! 😉
With no event logs and the correlation you are looking for, this is going to take some effort.
I would at least start working in EnCase meanwhile.
Let EnCase recover/carve out the deleted files and see if you can get any metadata from the recovered files.
this may not help, but in windows 2000 the registry uses 'autosync' to keep track of when a user last logged into the system. so say that the user logged in and deleted a bunch of stuff and never logs in again. autosync can show the last time that user was logged in and hopefully he deleted the files during that time.
another way to go about this is if you can check who was logged-in to the system when the files were deleted. relying of course on whether you can get the datetime they were deleted. i suppose you would need auditing turned on for all this. but maybe there are other ways. does anyone know if the domain controller stores info about user log-in events, etc.?
anyway, just an idea, i thought i'd float…
Yes, arashiryu, I had already thought about something like that maybe metadata of Office documents may help, just to know who was the last person who modified any of the documents, thank you for the advice.
However, what it seems to me a very interesting idea is the one ifindstuffucantfind and koko are commenting I have been surfing my own registry (I still don't have access to the server I want to analyse) and I can't find that "autosync" registry key. Does anyone know where I could find information about users logging and date/time of those connections? Thank you all!