Identity identificacion for deleted files
ifindstuffucantfind and koko have the right idea, while their approach might not be the best.
In order to log into a system, a user must have an account on the system. This information is maintained in the SAM portion of the Registry, which isn't normally accessible while the system is live.
On an imaged system, you can derive user information from the SAM file by parsing the V and F structures for each user. For more information on these structures, check out these two blog entries
I believe that there is an EnScript that does this sort of thing, but from the output I've seen posted to the Windows Forensic Analysis group on Yahoo, it doesn't include some information displayed by the ProScript I posted.
Hope this helps somewhat…
ifindstuffucantfind, et al,
Just an FYI about the autosync thing you mentioned…I got interested in it and started doing some research. Unfortunately, I can't do a lot of experimentation, as it seems that this has to do with Active Directory and Group Policies, and the sync'ing of offline files.
This KB article discusses an issue with regards to warnings and XP
So, I'm not saying that anyone's wrong or incorrect, just pointing out something to be aware of when looking at this key…
Hi, if you know from which workstation the files are deleted you can search the "recently used" folders in the profiles of that workstation. If you are lucky, you will find "traces" to the last opened files or folders in one of the user profiles. If there are any "startup cleaning tools" than those traces are also deleted. You then have to use an undelete program, like "recover my files". Good luck! Let us know if you succeed!
Wow! I'm learning a lot from you, guys! Thank you. Now I'm involved in an urgent issue and the server with the deleted files will have to wait… but I promise to tell you my experience as soon as I do it 😉
don't know if it helps or is interesting, but if the delete happened the last time that someone logged-in, you could look at modified dates of files in their profile's directory (documents and settings), especially (for certainty) the ones that are system or app related, like index.dat. in fact, if you knew the timeperiod, you could do a search on modified date across the whole hard drive and see who's files were created/edited in your time period. undoubtedly there would be cookies, logfiles, etc. created while you're logged in. if they did any web browsing while logged-in, this should be easy. of course all this assumes that the user wasn't malicious and covered their tracks by changing dates. also, did the person log-in to their email from that machine? if they use caching mode in outlook, you could check dates inside the local .ost or .pst. also, if the person printed something there could be a log in the printer with date and username. there are potentially so many indirect ways.
I told you I would comment my progress in this case when I had the time. Well… here I am… and without results!! D
The system under analysis uses a RAID5 configuration with NTFS. I haven't been able to find ANY of the deleted files or folders with EnCase (they aren't present not even as overwritten!!). Anyone knows why these files and folders don't appear? I mean… shouldn't they be present at least marked as "overwritten"?
Thank you, folks
Are you looking at a logical image or physical image? Logical image will not have unallocated space. If your image is physical then at the bottom of the directory tree there should be a "grey" folder named "Lost Files". Additionally, you can right click the drive icon and choose "Recover Folders…"
Yes, I already knew that but thank you for your advice. I made a physical copy of the HD, so that is why I'm wondering why the files aren't there! The client told me that after the deletion they had recovered a backup copy from the previous day (HP Openview DataProtector), but anyway, it still seem very strange to me that none of the interesting files are there anymore.