An interesting question appeared on one of the listservs a bit ago..."what is an investigator's protocol for demonstrating intentional erasure of data, ostensibly done by the user to remove evidence from a system?" This is an interesting question and since it doesn't fit neatly into one of the FAQ sections at the end of a chapter in my next book, I thought I'd address that question here in the blog.
The first thing I would look at is the level of erasure that has occurred. One of the first places to check is the Recycle Bin. Many users delete files through the Explorer shell, and they end up in the Recycle Bin...from there, some users don't bother to empty the Recycle Bin. However, this does show an intentional attempt to remove data, based on the actions that are required to move the files to the Recycle Bin.
I have seen instances in which the user has deleted files (ie, sent to the Recycle Bin) and then emptied the Recycle Bin. In such cases, the last modification time on the INFO2 file in the Recycle Bin may give you an idea of when the Recycle Bin was emptied. Again, this may show intent.
In some cases, many of the sectors for the files were then overwritten due to the limited defrag that occurs about every 3 days on a Windows XP system, making the deleted files unrecoverable.
I would also suggest checking the contents of the UserAssist keys, and on XP systems, the Prefetch folder, to see if there are any artifacts to indicate that an erasure tool of some kind was used. This may range from commercial tools to freely available VBS scripts.
One important thing to keep in mind when performing forensic analysis is that given some artifacts, we can expect to see other other artifacts. For example, if we find that auditing of logons has been enabled, and we see user profiles with MAC times (on the NTUSER.DAT files, etc.) that indicate logons, then we can expect to see some information in the SAM file, as well as the Security Event Log. By correlating these sources, we can develop information about our case. However, the absence of those artifacts that we know we should see (but don't) is itself an artifact.
5 comments:
if they use the command-line to delete a file it will not leave any trace evidence in the recycle bin. however, i believe windows also treats directories as files and records the date modified for the directory if a file is removed from or changed in that directory so you should be able to use this to narrow down the time of deletion even further. also, since the INFO2 file is just a file, you may be able to reconstruct portions that have not been overwritten.
Thanks for the comment, but the post is about a protocol, or where to look, to attempt to determine *intentional* erasure of data. It's not just different bits of trivia about deleted files.
i didn't mean to offer that only as trivia, my bad for not giving a clear example.
I had a situation where important files were removed after a temporary employee was given notice of termination. The 'boss' asked me to recover the data and determine (if possible) the time of deletion. After recovering the deleted files i checked the modified time stamp for the folder where the missing files were located. This gave me the last time the folder was modified (files removed or transferred?). I also checked the INFO2 index file with rifuti but the file appeared empty. Because there were no entries in the INFO2 file I could infer that the files were either deleted via the command-line or moved from the the folder to another location. I think either case this would clearly demonstrate intentional erasure. So i guess i'm trying to say it is important not to overlook folder modification times when examining something like this.
nabiy,
I agree, 100%. I was just trying to keep the discussion with the context of the post, that's all...
Amazing post about a protocol on where to look, to attempt to determine *intentional* erasure of data. Here at web design company is a similar info. regarding accidental loss of data.. May be that's of any use to you.
So check it out.
Post a Comment