Announcement

Collapse
No announcement yet.

Deleted Files - Identity of User who deleted a file?

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Deleted Files - Identity of User who deleted a file?

    Hi

    I have noticed that OSforensics allows me to conduct a "Deleted Files Search" as well as a search/analysis of "Recent Activity". I want to find out the identity of the user who would have deleted a specific file. Is this possible? I have not seen how thus far.

    Thanks

  • #2
    The short answer is you can't.

    The longer answer is....
    The undelete function has two modes of operation. Mode 1 is to find the delete file in the master file table and restore the file from data in the MFT. Mode 2 is to 'carve' the file from the disk, this is done by scanning the disk and matching pattens that define the start of certain file types. In the case of a carved file, it will be impossible to know when the file was deleted and who deleted it. In the case of files in the MFT then there might be information about the owner of the file (the person who created the file) but there won't be any details about who deleted it. Plus in the case of older file systems (like FAT16) there will not be any ownership information at all in the file system.

    You might be better off working out how many user accounts there were on the machine. If there is only 1 account, then your problem is solved. If there are multiple accounts, then maybe you can look at who logged in & when, then have a guess at who was logged in when the file was deleted. (But even knowing the delete time isn't always possible).

    Comment


    • #3
      Geezay,

      You should always use a tool such as RegRipper (http://www.osforensics.com/faqs-and-...regripper.html), to identify and list up all user accounts that exist on a machine you are investigating, before attempting to attribute activities such as file deletion to a specific user.

      Although the Recycle Bin's location typically changes from Windows version to version, basically, a unique Recycle Bin is created each time a new user account is created.

      So, if a given Windows computer has four people accessing it, each with unique accounts, usernames and passwords, Windows will have created four unique Recycle Bins, each Recylcle Bin named by its related unique user account, or security ID ("SID"). The OSForensics tool is basically reaching in to each trash can (Recycle Bin) and pulling out discarded files, but it is the registry analysis tool that will allow you to determine which user account was responsible for deleting a file, as well as many other activities.

      Comment


      • #4
        The OSForensics tool is basically reaching in to each trash can (Recycle Bin) and pulling out discarded files
        The files in the recycled bin haven't really been deleted. They get renamed and moved to a different folder, but they aren't deleted from the file systems point of view. So no special techniques (like carving, or parsing the MFT is required to see recycled files. You can browse them just like any other file.

        So the undelete function isn't recovering files from the recycle bin, as it doesn't need to. Only after the recycle bin is emptied are the files really deleted.

        So you should always check the recycle bin for interesting files, in additional to using the undelete function.

        Comment


        • #5
          David,

          If there are four unique user accounts on a given Windows machine, with four unique recycle bins, does OSForensics keep track of which of the four user account an "undeleted file" relates to?

          Comment


          • #6
            Files in the recycle bin aren't deleted files (they are just renamed files).

            So the undelete function doesn't touch nor examine files in the recycle bin. So the undelete function doesn't know anything about user accounts.

            Comment


            • #7
              Deleted File Search includes File Carving for Office Documents. the corresponding filter strings do not include PDF-Files. How can I carve PDF-Files?

              Best regards from Austria

              Comment


              • #8
                PDF files are carved if you tick the carving box. They are also picked up in a scan of the MFT.

                The Filter String allow you to filter the list of files that have been carved *after* the carving has taken place.

                The Filter String does not determine what is carved, just what is displayed.

                You can type any text you want into the Filter String field. So to just list PDF files you could enter in,
                *.pdf

                Comment

                Working...
                X