Forums
Main Category
General (Technical,...
Who did delete a fi...
 
Notifications
Clear all

Who did delete a file

 
General (Technical, Procedural, Software, Hardware etc.)
Last Post by nightworker 11 years ago
4 Posts
3 Users
0 Reactions
394 Views
RSS
nightworker
 nightworker
(@nightworker)
Estimable Member
Joined: 16 years ago
Posts: 134
Topic starter 24/09/2014 12:57 pm  

this security identifier is the information for who deleted a file and when deleted a file

but what we are going to do when a machine has unix operating system and ex3 file system?


   
Quote
jaclaz
 jaclaz
(@jaclaz)
Illustrious Member
Joined: 18 years ago
Posts: 5133
24/09/2014 3:16 pm  

but what we are going to do when a machine has unix operating system and ex3 file system?

It depends.

Has the specific "unix operating system" a "recycle bin" 😯 , or - more loosely - what happens on Windows if you delete a file without sending it to the Recycle Bin ?

http//spin.atomicobject.com/2012/06/29/restoring-deleted-files-from-the-ext3-journal/

jaclaz


   
ReplyQuote
mgilhespy
 mgilhespy
(@mgilhespy)
Estimable Member
Joined: 16 years ago
Posts: 102
24/09/2014 3:55 pm  

but what we are going to do when a machine has unix operating system and ex3 file system?

There's a good write up in the SANS reading room concerning making use of the ext3 journal for forensics..

ext3 journal forensics

I would be looking for the delete time (dtime), then seeing who was logged on at that time, then grep through their shell history for "rm" etc..

If the file required elevated privilege to delete, you might also find reference in var/log/auth.log

–MG


   
ReplyQuote
nightworker
 nightworker
(@nightworker)
Estimable Member
Joined: 16 years ago
Posts: 134
Topic starter 25/09/2014 2:05 pm  

thanks a lot


   
ReplyQuote
Forum Jump:
  Previous Topic
Next Topic  
Share: