Hi there, would like to ask what analysis procedures will you normally do when you want to verify a mass deletion by the custodian?
We usually do a check on the installation of mass deletion tools/software, followed by checking its corresponding activiy log, if any. In addition, we will check the last modified date of the deleted items, to see if there's a trend/pattern of deletion.
Can I have your thoughts?
Very dependant on the file system (FS) and the operating system (OS) used. If it was an NTFS file system on a WinXP system, I would look for INFO2 recycle bin records, unallocated $mft records and orphaned INDX directory records.
It is most likely that if such a mass deletion was performed by an IT literate person they would have cleaned these artefacts also but there are a few more things to look for.
Can you disclose what the OS and FS are & what exactly do you mean by a 'mass deletion'?
It could work, but consider that Data can be out of sync, so probably you won't get the right date (or any date) of deleted items. It is crucial to know the file system, and the allocation algorithms.
Hi there, would like to ask what analysis procedures will you normally do when you want to verify a mass deletion by the custodian?
That means a mass deletion that was done during a well-identified period of time, doesn't it? Or is it by a well-identified user? or both? or perhaps something else altogether?
I referred to a NTFS FS and a WinXP OS.
And by mass-deletion, I wanted to see if there's any trend of deletion pattern in very close date/time.
In addition, I am an user of EnCase, when EnCase marks the files as deleted in the selection pane, does that mean that file is virtually put into the recycle bin? If the file has been removed from the recycle bin, will EnCase still mark it as "deleted"?
So under a XP and NTFS environment, what else do I have to look for besides analysing the INFO2 records?
Thanks a lot.
Log2timeline would help for pattern analysis. Registries, Win event logs, av logs, lnk files to deleted/wiped docs, prefetch, hiberfil.sys to name the few.
Benjamin
file deleted in encase means the file is part of an INFO2 record.
As for mass deletion, with NTFS, for example, any deleted files that have Entry Modified dates and times all within very close proximity, say the same second or two, combined with the order to preserve, is a good indicator.
Hi
the Usn journal migth be useful to determine dates of deletion and deleted files names…but only for a Ntfs volume where this option is active.