Join Us!

Identity identifica...
 
Notifications
Clear all

Identity identificacion for deleted files  

Page 1 / 2
  RSS
iruiper
(@iruiper)
Active Member

Hello everybody,

I have just joined this forum because I work in Forensic IT matters, and I am currently working on something I had not faced yet. I would like someone to help me with this, because I believe that some of you have surely done something like this in the past.

My doubt is the next one is it possible to identify the identity of the user who has deleted a file? Is there a way to do this by examining the registry, or by using EnCase or any other software tool?

Moreover there would be two clearly different situations
a) A local user deletes a file. Is it possible to identify which user has done it?
b) A folder is network shared. Is it possible to identify which user, or at least from which IP the file has been deleted/cut?

Thank you in advance for your cooperation )

Quote
Posted : 21/03/2006 4:50 pm
keydet89
(@keydet89)
Community Legend

To answer a), the response is, "yes", with the caveat of "…if the appropriate auditing (or some other monitoring mechanism) were enabled." The same answer _may_ hold true for b).

Harlan

ReplyQuote
Posted : 21/03/2006 5:03 pm
iruiper
(@iruiper)
Active Member

Ok… thank you. But, what if no monitoring is implemented? I mean, could I do something if I just had an image of the hard drive involved (a general EnCase/AccessData forensic investigation)?

Thank you so much!

ReplyQuote
Posted : 21/03/2006 5:29 pm
arashiryu
(@arashiryu)
Active Member

1) For a file deleted locally on the system you can use rifiuti, a free foundstone tool to examine the contents of the recycle bin. It is a command line tool. You will also need sidtoname utility to decode the sid to a user id, that you will see in the reclycle bin.
Second option is if you create a forensic image with free FTK imager and open the image in FTK imager, it will let you examine the recycle bin contents.

2) For file deleted on a network share you need to look for event id 564 in the server's security log. When an object for which successful delete access has been enabled for auditing, Event 564 is logged upon actual deletion. To determine the name of the object deleted look for a prior event 560 with the same handle ID.

Email me offline if you need more help. I have been in this situation plenty of times.

ReplyQuote
Posted : 21/03/2006 6:30 pm
iruiper
(@iruiper)
Active Member

Your comments are being very useful! Thank you!

However… how can I analyse that "Security Event Log"? Is there any file I can look into for this kind of info?

Greetings!

ReplyQuote
Posted : 21/03/2006 10:04 pm
arashiryu
(@arashiryu)
Active Member

Logon to the server where the share is located. Go into control panel then administrative tools. Open up event viewer and choose security log. You can apply the built in filter for the event ids I mentioned earlier.

ReplyQuote
Posted : 21/03/2006 10:39 pm
m7esec
(@m7esec)
Junior Member

I usually dump the Security Event log using various tools, but a good one if the log is on a network is dumpevt by Somarsoft. This will put it in a comma seperated file which can be easily imported into Excel or any other spreadsheet. You can filter, sort, multi-sort, etc.

Its a free tool as well.

ReplyQuote
Posted : 21/03/2006 10:45 pm
keydet89
(@keydet89)
Community Legend

iruiper,

arashiryu's comments are good ones, but there are a couple of caveats.

First, rifiuti only works if the file had been deleted in a manner that deposits it in the Recycle Bin. Using the "del" command from the command prompt bypasses the Recycle Bin.

Second, looking for the event IDs is a good idea, but a waste of time if the appropriate auditing hasn't been enabled.

Harlan

ReplyQuote
Posted : 21/03/2006 11:19 pm
iruiper
(@iruiper)
Active Member

Yes… I have just realized that sometimes the Event Logger isn't activated… as in the case I'm working on!! D

Any other suggestions then??

ReplyQuote
Posted : 21/03/2006 11:25 pm
arashiryu
(@arashiryu)
Active Member

I recommend you get auditing turned on right away on the server and the client workstations. At least security related events like logon, logoff etc…

You might wanna get forensic image of the server and the workstations in question and process them with some forensics tools.

ReplyQuote
Posted : 22/03/2006 12:48 am
iruiper
(@iruiper)
Active Member

Yeah! I know that's what it should have been done… but it's not my server (it's the client's), I just have to do the forensic investigation. That's why I wanted to know if any of you have any methodology for this situation that there's not any log; just the EnCase image is available. Once more (sorry for being such a pain D) does anyone have any suggestion (about tools, methodology for this kind of investigation)?

Anyway… thank you all folks for being so collaborative!! 😉

ReplyQuote
Posted : 22/03/2006 1:32 am
arashiryu
(@arashiryu)
Active Member

With no event logs and the correlation you are looking for, this is going to take some effort.

I would at least start working in EnCase meanwhile.

Let EnCase recover/carve out the deleted files and see if you can get any metadata from the recovered files.

ReplyQuote
Posted : 22/03/2006 2:18 am
ifindstuffucantfind
(@ifindstuffucantfind)
New Member

this may not help, but in windows 2000 the registry uses 'autosync' to keep track of when a user last logged into the system. so say that the user logged in and deleted a bunch of stuff and never logs in again. autosync can show the last time that user was logged in and hopefully he deleted the files during that time.

ReplyQuote
Posted : 22/03/2006 3:03 am
koko
 koko
(@koko)
New Member

another way to go about this is if you can check who was logged-in to the system when the files were deleted. relying of course on whether you can get the datetime they were deleted. i suppose you would need auditing turned on for all this. but maybe there are other ways. does anyone know if the domain controller stores info about user log-in events, etc.?
anyway, just an idea, i thought i'd float…

ReplyQuote
Posted : 22/03/2006 3:12 am
iruiper
(@iruiper)
Active Member

Yes, arashiryu, I had already thought about something like that maybe metadata of Office documents may help, just to know who was the last person who modified any of the documents, thank you for the advice.

However, what it seems to me a very interesting idea is the one ifindstuffucantfind and koko are commenting I have been surfing my own registry (I still don't have access to the server I want to analyse) and I can't find that "autosync" registry key. Does anyone know where I could find information about users logging and date/time of those connections? Thank you all!

ReplyQuote
Posted : 22/03/2006 1:47 pm
Page 1 / 2
Share: