2

I would like to know if the following is possible:

  1. Is it possible to detect a file that has been put into my file system using back dating? Are there any trace artifacts left behind which can help to detect this sort of tampering?

  2. Is it possible to detect file tampering? I mean this in terms of content, file created/modified etc, deletion. I am especially interested to know if we can find if a file was deleted and how I can detect the same.

The background of these questions is against a friend's stolen laptop and we need to figure out if any forensic file activity can be performed. I was most keen on the above mentioned 2 questions.

I would appreciate if both Windows and Linux tips were included.

freginold
  • 165
  • 6
ananth
  • 21
  • 2
  • You question is too general. I know every file on my system and if it needs to be there or not and I can quick check if any of the system ones have been altered with only one command. You should describe better the context you have/need in order to have a proper answer. – Overmind Sep 13 '19 at 12:32
  • @Overmind Thanks for the pointer. But the only context I have is that the laptop has been in strange hands for some time and that there are files which I am not sure should be there. Hence the ask for detecting back dated files. The second question is more towards diagnostics in terms of verifying what I expect to have is in its right form or if something has happened in that time the file system was not under my sight. Is this ok, should I alter my question with these or do let me know what other information I can provide? – ananth Sep 13 '19 at 12:40
  • Well why didn't you say that from start ? In your case you should just run a SFC scan to make sure all system files are viable and of good integrity and then some anti-malware and anti-virus scans to make sure there is nothing unwanted there. Then just uninstall if there are any programs you don't want/need. There no need to over-complicate things with anything else. – Overmind Sep 16 '19 at 08:29
  • If the laptop was stolen, you should seriously consider re-imaging it, or depending on the reason for your concerns, getting a new machine. As you are investigating the issue post-fact, you can't necessarily trust _anything_ running on the system after it may have been compromised. – iwaseatenbyagrue Sep 26 '19 at 07:54

0 Answers0