Who/what deleted th...
 
Notifications
Clear all

Who/what deleted the files?  

Page 1 / 2
  RSS
Phranquey
(@phranquey)
New Member

Hi All

I have been working on a case where the user claims to have no idea how a large set of files have been deleted from his desktop.
The UsrJrnl shows the files being deleted in sequence and from different folders(The folders were not deleted). There is evidence to show user activity just seconds before the deletion and the user put their laptop to sleep seconds after the deletion. There is no indication of any application(malware or otherwise) being executed around the time of deletion. No sign of any rogue user either.
Everything points to the user other than the way the files were deleted. The timestamps in the Usrjrnl tells me it was a mass deletion, probably triggered once, that took care of many files in different folders in a very short time and not the selective and manual way in which a user would normally delete files by opening each folder then highlighting the files and then deleting them.
Also note that the deletion bypassed the recycle bin.
What am I missing? How do files get deleted sequentially from different folders (without deleting the folders) without the use of a program?

Any thoughts and suggestions are most welcomed.

Quote
Posted : 21/10/2016 9:48 am
Chris55728
(@chris55728)
Junior Member

Hi Phranquey,

You don't explain the actual folder layout on the desktop so I'm making assumptions below.

Assuming all the folders in question are sitting underneath a single folder under the 'Desktop' folder the easiest way I can see to do it is as follows. Assuming 'My Stuff' is the folder in question.

Desktop
Desktop\My Stuff
Desktop\My Stuff\Folder 1
Desktop\My Stuff\Folder 2
Desktop\My Stuff\Folder 3
Desktop\My Stuff\Folder 4
Desktop\My Stuff\Folder 5
Desktop\My Stuff\Folder 6

Go into the 'My Stuff' folder using Windows Explorer. In the search box (top right in Windows Explorer) put an *, this will then show all files and folders in and under the 'My Stuff' folder. Order by 'Type' and SHIFT+DELETE all the files to bypass the Recycle Bin.

Desktop
Desktop\Folder 1
Desktop\Folder 2
Desktop\Folder 3
Desktop\Folder 4
Desktop\Folder 5
Desktop\Folder 6

If the folders are individual folders on the 'Desktop' (as above), go into the 'Desktop' folder using Windows Explorer, CTRL + left mouse click 'Folder 1', 'Folder 2', etc. Put an * in the search box, this will then show all files and nested folders in the selected folders. Order by 'Type' and SHIFT+DELETE all the files to bypass the Recycle Bin.

Hope that makes sense. So much easier to actually do than explain in words!!

ReplyQuote
Posted : 21/10/2016 12:11 pm
passcodeunlock
(@passcodeunlock)
Senior Member

It could been manually deleted files as described in the above reply, but it could been also a batch deletion.

If it was on purpose, most probably the batch file was deleted also, I would carve for it.

The batch file could be on any media, like pendrive, external usb disk, etc. so don't focus only on the main device!

ReplyQuote
Posted : 21/10/2016 3:21 pm
joakims
(@joakims)
Active Member

You mentioned "sleep" and "usnjrnl", so I assume this is Windows system running on an NTFS volume. A few things that could be worth analyzing
$LogFile
hiberfil.sys

What version of Windows is this?

ReplyQuote
Posted : 21/10/2016 3:39 pm
redcat
(@redcat)
Active Member

Since you mention UsnJrnl I'm assuming NTFS and therefore more specifically Windows 8 or 10 is the OS in question. To batch delete (and properly delete) files in later versions of Windows you can use something like this from command prompt

robocopy C\SomeEmptyFolder C\FolderOfStuffToDelete /e /tee /MIR

Which will copy over the 'contents' of SomeEmptyFolder to FolderOfStuffToDelete, overwriting all and anything in FolderOfStuffToDelete and, in this instance, copying nothing into its place. What it will do is leave the folder and subfolders intact, but with no contents. It will blast over almost anything in its path, including locked files (useful sometimes).

Robocopy is, of course, built into all verisons of Windows since 7 (and was available via Sysinternals for XP before that) so you'd expect to find it in system32. Question is, how technical is the former user of this computer?

ReplyQuote
Posted : 21/10/2016 3:55 pm
Phranquey
(@phranquey)
New Member

Thanks to all of you who have responded so quickly! I will try to respond to all of your questions and queries.

1. Chris55728 Yes the folder structure looked like the following

Desktop
Desktop\Folder 1
Desktop\Folder 2
Desktop\Folder 3
Desktop\Folder 4
Desktop\Folder 5
Desktop\Folder 6

Data was deleted from the folders and subfolders….even some desktop shortcut items were deleted. I tried Chris55728's method and indeed he could have deleted them that way. As far as I remember there is a log that stores explorer search items? Are those in the windows.edb file? I have had mixed results trying to parse that in the past.

2. passcodeunlock THanks I will carve for the batch file and see what I find.

3. joakims It is a windows 7 Machine. I already checked $LogFile but I am interested in your hyberfil.sys suggestion. What nuggets can I find in there to help me in this case?

4. redcat yes I am aware of robocopy and I checked for the execution of command prompt or any other application with the potential to initiate a delete command but have not seen anything.
According to I.T. the user does not strike them as being very technical at all but it does not take that much to find out how to do things on a computer nowadays once you have the right motive.

Thanks again for your help!

ReplyQuote
Posted : 21/10/2016 9:25 pm
joakims
(@joakims)
Active Member

It really depends if the system was put into sleep or hibernation mode. You mentioned sleep, but it is sometimes mixed up with hibernation, which is the reason I mentioned it. If it is in fact sleep, then nothing of that filedelete operation can be expected to be found in hiberfil.sys. If not, then it is certainly worth looking into hiberfil.sys. What you would do is convert the hibernation file into a raw memory dump file, and then use something like Volatility to analyze the dump file. It is amazing how much can be found there, for instance command line parameters.. If you had a memory dump, you could do the same thing.

And regarding $LogFile. There was no filesystem transactions around the deletion time that gave more clues?

ReplyQuote
Posted : 22/10/2016 2:09 am
Phranquey
(@phranquey)
New Member

Hi Joakims

Yes it sleeps on lid close which is the event that is recorded. Unless windows itself is loosely using the word sleep as well in their description of the event. The logfile does not have much data for that period of time at all therefore the data is not of much use as far as I can see. In a perfect world windows 7 would have explicit delete logs which tells us that a user interacted with the computer and selected DELETE……or not.

ReplyQuote
Posted : 22/10/2016 4:36 am
Phranquey
(@phranquey)
New Member

Hi All

Any further ideas on this one?

ReplyQuote
Posted : 25/10/2016 8:01 am
MDCR
 MDCR
(@mdcr)
Active Member

Check logs. Even if they don't say who deleted what, they can tell you what accounts wasn't used.

ReplyQuote
Posted : 25/10/2016 5:41 pm
pbobby
(@pbobby)
Active Member

Shift-delete of top level folders.

There's no artifact to prove/disprove - gonna have to water-board.

In my opinion, there is no other reasonable explanation other than the computer user intentionally shift-deleting top level folders of content and then putting the laptop to sleep.

ReplyQuote
Posted : 25/10/2016 9:05 pm
Phranquey
(@phranquey)
New Member

Shift-delete of top level folders.

There's no artifact to prove/disprove - gonna have to water-board.

In my opinion, there is no other reasonable explanation other than the computer user intentionally shift-deleting top level folders of content and then putting the laptop to sleep.

Hi pbobby
If I could replicate the deletion in windows explorer I would be more comfortable with that explanation. I thought I had but the actual files on the desktop were also deleted including the program shortcuts. The folder structure remained intact on the desktop but the files were deleted.

Not only top level folder contents were deleted either…the delete process went into each folder and subfolder on the desktop and deleted files within them and all in one go. This was not a user browsing around deleting files as they go. We are talking over 3000 files in 51 seconds all from the desktop and subfolders.

To add to this, the delete process skipped a handful of files. About 11 files were skipped in different folders and remained in folders on the desktop after deletion.

I know it is bizarre. I just cant logically put this together in my mind that the User did this….but he might have.

ReplyQuote
Posted : 25/10/2016 9:45 pm
Phranquey
(@phranquey)
New Member

Update

Decompressed the hiberfil.sys file and used Volatility to check for Commands entered through a console shell (cmd.exe) but there were no returns. I confirmed that the computer did hibernate after the incident and checking the process list I can see processes executed before and after the incident but none out of the ordinary.

Please if anyone has any other ideas let me know. What are your feelings here?

ReplyQuote
Posted : 30/10/2016 10:51 pm
joakims
(@joakims)
Active Member

So if the machine hibernated after all (it was put into hibernation mode, not sleep) that should give you quite some more valuable information. That's the reason why I specifically asked about this initially.

Now I am wondering how you decompressed hiberfil.sys? Volatility is a great tool for memory analysis by all means, but I am aware of a possible bug in their decompression of hibernation files. Just to rule out that this possible bug has played you a trick, I would strongly suggest you make a decompression (memory reconstruct) with another tool and compare the output file hashes. I am aware of 2 other tools that can do this
Hibernation Recon
Hibr2bin

When you have verified that the decompressed memory reconstruct are good, then you should re-do the analysis in Volatility. Said differently, if the outputs differ, you would rather trust the output of that other tool.

ReplyQuote
Posted : 31/10/2016 2:37 am
Phranquey
(@phranquey)
New Member

Hi Joakims

Yes the machine slept but then later did hibernate. I tried what you said. I used Hibe2Bin but got the same output. I tried running the same commands using Volatility (cmdscan and consoles) but got nothing at all in the output. Other commands did produce output like plist etc. Any other suggestions? Thanks so much for your time.

ReplyQuote
Posted : 31/10/2016 8:47 am
Page 1 / 2
Share: