Yeah! I know that's what it should have been done… but it's not my server (it's the client's), I just have to do the forensic investigation. That's why I wanted to know if any of you have any methodology for this situation that there's not any log; just the EnCase image is available. Once more (sorry for being such a pain D) does anyone have any suggestion (about tools, methodology for this kind of investigation)?
Anyway… thank you all folks for being so collaborative!! 😉
With no event logs and the correlation you are looking for, this is going to take some effort.
I would at least start working in EnCase meanwhile.
Let EnCase recover/carve out the deleted files and see if you can get any metadata from the recovered files.
this may not help, but in windows 2000 the registry uses 'autosync' to keep track of when a user last logged into the system. so say that the user logged in and deleted a bunch of stuff and never logs in again. autosync can show the last time that user was logged in and hopefully he deleted the files during that time.
another way to go about this is if you can check who was logged-in to the system when the files were deleted. relying of course on whether you can get the datetime they were deleted. i suppose you would need auditing turned on for all this. but maybe there are other ways. does anyone know if the domain controller stores info about user log-in events, etc.?
anyway, just an idea, i thought i'd float…
Yes, arashiryu, I had already thought about something like that maybe metadata of Office documents may help, just to know who was the last person who modified any of the documents, thank you for the advice.
However, what it seems to me a very interesting idea is the one ifindstuffucantfind and koko are commenting I have been surfing my own registry (I still don't have access to the server I want to analyse) and I can't find that "autosync" registry key. Does anyone know where I could find information about users logging and date/time of those connections? Thank you all!
iruiper,
ifindstuffucantfind and koko have the right idea, while their approach might not be the best.
In order to log into a system, a user must have an account on the system. This information is maintained in the SAM portion of the Registry, which isn't normally accessible while the system is live.
On an imaged system, you can derive user information from the SAM file by parsing the V and F structures for each user. For more information on these structures, check out these two blog entries
http//
http//
I believe that there is an EnScript that does this sort of thing, but from the output I've seen posted to the Windows Forensic Analysis group on Yahoo, it doesn't include some information displayed by the ProScript I posted.
Hope this helps somewhat…
Harlan
ifindstuffucantfind, et al,
Just an FYI about the autosync thing you mentioned…I got interested in it and started doing some research. Unfortunately, I can't do a lot of experimentation, as it seems that this has to do with Active Directory and Group Policies, and the sync'ing of offline files.
This KB article discusses an issue with regards to warnings and XP
http//
So, I'm not saying that anyone's wrong or incorrect, just pointing out something to be aware of when looking at this key…
H
Hi, if you know from which workstation the files are deleted you can search the "recently used" folders in the profiles of that workstation. If you are lucky, you will find "traces" to the last opened files or folders in one of the user profiles. If there are any "startup cleaning tools" than those traces are also deleted. You then have to use an undelete program, like "recover my files". Good luck! Let us know if you succeed!
Wow! I'm learning a lot from you, guys! Thank you. Now I'm involved in an urgent issue and the server with the deleted files will have to wait… but I promise to tell you my experience as soon as I do it 😉
don't know if it helps or is interesting, but if the delete happened the last time that someone logged-in, you could look at modified dates of files in their profile's directory (documents and settings), especially (for certainty) the ones that are system or app related, like index.dat. in fact, if you knew the timeperiod, you could do a search on modified date across the whole hard drive and see who's files were created/edited in your time period. undoubtedly there would be cookies, logfiles, etc. created while you're logged in. if they did any web browsing while logged-in, this should be easy. of course all this assumes that the user wasn't malicious and covered their tracks by changing dates. also, did the person log-in to their email from that machine? if they use caching mode in outlook, you could check dates inside the local .ost or .pst. also, if the person printed something there could be a log in the printer with date and username. there are potentially so many indirect ways.