4

Is it possible to know when a file in a NTFS filesystem was deleted? For example, if you have the file in the recycle bin you have the metadata file that stores when the file was sent to the recycle bin. However, if the file was never in the recycle bin or the recycle bin was emptied, how can you know the timestamp of the deletion of a file?

Although it were not possible to know the exact date and time, is it possible to have a date interval?

EDIT: I know there are existing solutions that can be installed or configured to monitor deletion of files but I'm talking about the case you receive a HD and you have to do a forensic analysis of it. In that case you probably would have only what it is installed by default.

Gokhan Dilek
  • 131
  • 3
kinunt
  • 2,759
  • 2
  • 23
  • 30
  • I am not a forensics expert, but I touched these areas once in my iOS project. I'm not sure how deletion process is done in Windows exactly, but I recommend you go through this paper [https://www.fbi.h-da.de/fileadmin/personal/h.baier/Lectures-winter-11/WS-11-Forensics/vorlesung_forensik_ws11-12_kap06_ntfs-handout.pdf ] I'm sure you will find your answer there. – AK_ Jun 16 '14 at 19:05

2 Answers2

5

You cannot always get an exact answer in forensics. Sometimes the result is a time range of possibility. That said, you can get exact answers sometimes.

For your scenario, it depends on what version of Windows was used to create and maintain this volume.

NTFS has long supported journaling (short term logging) in the file named $LogFile in the root of the volume. You won't find a large amount of records in here since it is designed to be a recovery mechanism, but if you get the disk within a certain amount of time after the delete action you have a chance of finding it in there. Many of the forensic tools (such as EnCase) are able to parse this log, but here is an open source tool with more information.

https://code.google.com/p/mft2csv/wiki/LogFileParser

If you are examining a Vista or newer system, you may find that there is a longer running log in place on the disk. This logging was a capability in earlier versions of NTFS, but it was not enabled by default until Vista. The file is called $UsnJrnl and is located in a folder called $Extend. This file logs every action that happens to a file: rename, move, create, delete, etc. Again, many of the forensic tools will parse this out, but here is an open source link for use.

https://code.google.com/p/parser-usnjrnl/

Andrea Lazzarotto
  • 105
  • 6
WMIF
  • 292
  • 1
  • 3
  • Another think I've discovered is that we can determine an interval between the last time a file was seen, for example examining the NTFS macd times with Sleuthkit, and the time the image was taken. – kinunt Jun 19 '14 at 15:12
2

You can see it in the computer events. You need to switch on auditing feature in group policies.

This is what I used to do.

  • I had a corporate network and the workstations were connected to a domain controller (server 2008).
  • I had a file server that users had access to(which was also connected to the same domain).
  • I turned on the auditing logs for a particular shared folder(that my users had access to) in the local group policies of that file server.
  • I then was able to see each user doing file operations by looking at the computer event codes.

This Microsoft Technet paper might help

Rory Alsop
  • 61,367
  • 12
  • 115
  • 320
Gokhan Dilek
  • 131
  • 3
  • 4
    This is to monitor files deleted when you know you will need this information. In a forensic analysis usually you have access to a system that has not configured this option. This is the case of my question. I'm going to add this information in the question. – kinunt Jun 17 '14 at 10:55
  • Havent tried it but a quick google search gave me this: http://www.digital-forensic.org/ – Gokhan Dilek Jun 17 '14 at 12:02