hi. how can ı find last deleted files time in windows registry
Are you looking for the time and date of the last file deleted from a computer or the time and date that any file was deleted from a computer?
Either way, that information would not be in the registry as far as I know. It would be determinded by analyzing the dates surrounding the deleted files you can recover from the system.
hi. how can ı find last deleted files time in windows registry
What?
hi. how can ı find last deleted files time in windows registry
In addition to the above
You may be able to get some information from the $LOGFILE entries. You may be able to find $MFT entries for which the file record is present (not, yet, reallocated), and the file is not. You may be able to look at system restore points and prefetch files to find files that are no longer there. You may have some privacy software installed which would automatically delete TEMP and other files and you might be able to determine when that was executed.
There are actually many different avenues by which you can explore the issue of what was last deleted.
However, aside from making a circumstantial case, you won't likely be able to say anything with certainty. And any conclusions which you draw from the circumstantial evidence will likely face a strong challenge.
Windows does not journal most file management operations. Copies and deletes are not recorded, explicitly.
Perhaps this topic should be moved to the forensics myths topic, since it seems to be a variant of a frequently asked question.
However, aside from making a circumstantial case, you won't likely be able to say anything with certainty. And any conclusions which you draw from the circumstantial evidence will likely face a strong challenge.
Windows does not journal most file management operations. Copies and deletes are not recorded, explicitly.
Perhaps this topic should be moved to the forensics myths topic, since it seems to be a variant of a frequently asked question.
Ye of little faith! Not to hijack the thread but isn't a lot of what we do putting together pieces of evidence to draw conclusions? Sure we can find a definitive e-mail, log file showing someone's IP address, evidence of a file being openned or application being installed. However, even with those "findings" you are still drawing a conclusion as to the actual individual who may have performed the action.
Your point is well taken that Windows does not journal deletes, however one can come to the conclusion that a file was deleted on or shortly after the latest of its metadata date/times. Of course one should back that conclusion with their testing.
I wouldn't call it a "forensic myth".
Your point is well taken that Windows does not journal deletes, however one can come to the conclusion that a file was deleted on or shortly after the latest of its metadata date/times. Of course one should back that conclusion with their testing.
I wouldn't call it a "forensic myth".
That assumes that you have some other piece of evidence that identifies this information. If you have last accessed time turned off (the default in newer versions of Windows), if you don't have an MFT, LOGFILE or Restore Point record, then how do you go about determining a delete time with any certainty.
My point is that you have to have to have both luck and knowledge to make such a conjecture and even then, you may be a far way from certainty.
The myth that I referred to was that there exists a single indicator of when a file was copied or deleted. Many naive clients and some investigators believe this to be true.
That assumes that you have some other piece of evidence that identifies this information. If you have last accessed time turned off (the default in newer versions of Windows), if you don't have an MFT, LOGFILE or Restore Point record, then how do you go about determining a delete time with any certainty.
You take the evidence you have, setup and perform the testing and then give your opinion. I agree that even taking into consideration the MAC (and MFT Entry Modified date on an NTFS system) dates it is difficult to say exactly when a file was deleted. But it is not difficult to say that a file was deleted on or after a certain date. Take for example a deleted file on a Vista computer with the Last Accessed date turned off that has a last written date of 6/24/2009 at 1152am. You could say that the file was deleted on 6/24/2009 at 1152am or sometime thereafter which may be important in proving a spoliation issue. Most certainly you would need to test the scenario and take other factors into account such as the setting of the clock.
Your opinion may have to make some assumptions in the absense of facts but that when I feel it is appropriate to do so, I setup everyone's expectations that the assumptions are going to be the first place someone will attack.
The myth that I referred to was that there exists a single indicator of when a file was copied or deleted. Many naive clients and some investigators believe this to be true.
There does exist such an indicator, and I find it with the "easy button"! roll
I'd still like to hear back from the OP with respect to what he's asking for…
