Forensics: When was a File Deleted? Part 2

Following on from “When was a File Deleted? Part 1” this article discusses how the identify the data of files that have not been deleted, but not via the recycle bin (which maintains the date of deletion).

Why are all deleted files not in the recycle bin?

As discussed in the previous article there are a variety of reasons which files are deleted, but do not go  via the recycle

  1. System deletion: If the computer deletes files, automatically, e.g as part of the routine cleanup, the files do not go via the recycle bin
  2. User initiated system deletion: If a user clears the internet history, or uninstalls a program, then the system deletes files. These files do not go to the recycle bin.
  3. Third party tools: If an individual runs a deletion tool such as EvidenceEliminator those files that are deleted do not go via the recycle bin. Therefore their dates of deletion are not recorded (in the recycle bin, though they may be elsewhere, see Part 2)
  4. Shift-Delete: If a user presses shift and delete when deleting a file it is“hard deleted”, this means that the file does not go to the recycle bin, it is simply deleted. In this case the dates of deletion are not recorded by the recycle bin.

Potential methods to detect the deleted dates are discussed below

  1. System deletion:
    1. Probably the most common example of a file being deleted by the system and being of interest, will be the internet cache. Firefox and IE can be set to automatically delete the data after a set period of one. One method to approach this is to look at the date of the file creation and then look (in the recovered FAT/MFT entry) and compare that the duration of the internet cache storage. The latter value is in  registry. This combined with looking at the access date, should give a good indication of when data we deleted. Do not take this date by itself. There are so many caveats about dates that it would take a whole article to cover them. Suffice to say that caution should be used and other sources of information should be used to try and verify a time.
  2. User initiated system deletion:
    1. If uninstalls a program, then there is no recorded deletion date for the files deleted during the process. But there are methods to try and determine this.
      1. System Restore. The system restore files keep track of what is installed by looking back the old software hives can give a good indication of when something was deleted. Example if “Outlook” exists in the Software hive for 1st and 2nd Feb 09 but not for the 4th, 5th of 6th, is entirely plausible that that Outlook was uninstalled between the 2nd and 4th.
    2. Logs. Uninstalling applications, as well as installing an application can create logs ,there may be one available
    3. Mass Activity. Look for evidence of recent mass activity. Do all of the deleted files have a last access around the same time? [A time different from the creation /modification date].
  3. Third party tools:
    1. Tools such as EvidenceEliminator are rarely run in the best way to ensure that all traces of a file are deleted. It may be that a file is deleted, and wiped, but evidence of the file can often still exist, and some of the methods in the section “Shift-Delete” below can still be used. In addition to those methods, the following techniques can be considered when trying to identify the deletion date.
      1. If the file was wiped it means that the  wiping must have occurred after the wiping tool was installed. Look for installation dates of the installed software
      2. How does the wiping tool work? Does it write zeros to the file first, and then delete it? If so the wiping date could be the last modified date
      3. Are there logs. Amazingly some wiping tools keep deleted logs. Look for this. Even if they are not there they may have been deleted, but not wiped, search for those.
  4. Shift-Delete:
    1. This  methods discussed here can be used in conjunction with the methods used above (if applicable). This is the scenario where a file has been deleted, e.g. a word document, but there is no date of deletion. No recycle bin entry. No log files. Just a file that has been deleted. The following information should be considered when trying to assess the deleted dates.
      1. A file cannot be accessed after it has been deleted. Therefore the file was deleted on or after the last accessed date and before the date the computer was last used. This could be a very narrow time widow (or it could be quite large, but it’s a good starting point)
      2. If the access date has not been tripped (e.g it’s been switched off), look for other evidence of access, such as Link files, or MRU in the registry entries. The modified date can also provide useful.
      3. Use the System Restore and NTUSER.DAT files to build up a picture of access to a file.
      4. Look for evidence of searching for a file. If a person wants to delete certain types of file they may well conduct searches. E.g. search for “*.DOC” or “*Account*.XLS”. Evidence of file searches conducted, via Windows, are stored in the registry. These can give great insight into a user.

Combine all the available information together

Often no one piece of information is going to be a silver bullet, rather there will be lots of information that needs to be pulled together to create evidence of a probably date.

A working example

A computer investigation is requested and a desktop, at a large company, is imaged on 20th August 2009. Following a brief investigation it is determined that the file “Accounts.DOC” was deleted. The client wants to know when this occurred.

The following information is recovered:

  • The created date of the file, from the MFT entry, is 10th June 2009
  • The last modified date, from the MFT,  is 30th July 2009
  • The last accessed date was the 31st July 2009
  • The computer was shutdown on 9am 3rd August 2009.
  • The computer was power on 19th August but no nobody appears to have logged on
  • The computer was imaged on 20th August 2009

Additional information:

1st and 2nd August 2009 were a Saturday and Sunday. The user did not have access to the office on the weekend (there was no remote access either)

The IT department turned off the user’s computer on 9am, following a request from HR The IT dept also admitted powering on the computer, in error, on 19th August 2009.

In this rather simplistic scenario it is probable that the file was deleted on 31st July 2009, because there was no other time to conduct the deletion by the user, as there was no access to the computer after that date.

Overall look for dates, lots of them. Produce  a time line of when the file was accessed, and when it was no longer accessed. Then look at dates the user could not have accessed the comptuer. Logs, leave, login information, etc. This will narrow the dates, but rarely will there be a specific date.

Forensics: When was a File Deleted? Part 1

Was the file deleted before his resignation?”

Was the file deleted before or after the data preservation order?”

If the file was deleted on the 1st rather than the 31st, than that means there was a breach of a court order. Can you say when it was deleted?”

All of these questions are asking the same thing: “When was a file deleted?”; this article looks at this issue (for Windows operating systems)

Deleted Dates

Broadly there are two scenarios for when a file is deleted, it is deleted via the recycle bin and when the file is not deleted during a recycle bin.

Deleted Dates: Recycle Bin

If a user hits the delete key on a file it, in virtually all scenarios, goes to the Recycle Bin in Windows. Windows 9x, 2000, XP, and Vista all have a recycle bin/trash bin. Many users are familiar with this and know that if they delete a file, they can go into the recycle bin and recover it at a later date.

What many users are not aware, but all forensics investigators should be, is that when a file is placed in the recycle bin the date that occurs is recorded. i.e. the date of deletion is recorded, if the file is deleted file the recycle bin. This information is recorded via the INFO2 file in Windows 9x, 2000 and XP. In Vista the information is recorded, but it’s in a slightly different location.

Therefore if a file is deleted via the recycle bin the information is easily obtained.

If the recycle bin is emptied, can the deleted date still be recovered?

Yes, for a period of time. The information about the deleted date is, itself, deleted after the recycle bin is emptied. This means that the information can be recovered using data recovery methods. But as it is not a file that is being searched for, but rather metadata about the deleted file, it is only a fragment of data that needs to be recovered.

Therefore methods such as keyword searching and date carving are required to locate this information.

Why does the file not go into the recycle bin?

Not all files are deleted via the recycle bin, this can occur for couple of reasons. The most common are:

  1. System deletion: If the computer deletes files, automatically, e.g as part of the routine cleanup, the files do not go via the recycle bin
  2. User initiated system deletion: If a user clears the internet history, or uninstalls a program, then the system deletes files. These files do not go to the recycle bin.
  3. Third party tools: If an individual runs a deletion tool such as EvidenceEliminator those files that are deleted do not go via the recycle bin. Therefore their dates of deletion are not recorded (in the recycle bin, though they may be elsewhere, see Part 2)
  4. Shift-Delete: If a user presses shift and delete when deleting a file the file is “hard deleted”, this means that the file does not go to the recycle bin, it is simply deleted. In this case the dates of deletion are not recorded by the recycle bin.

Part 2 will cover the issue of determining the deletion dates of files that are deleted via the recycle in.

Forensics: How do you detect data theft Part 1

With data theft occurring frequently, and corporate clients needing to prove that data was stolen, it is critical that any forensics investigator worth their salt (and their salary) that they are able to undertake at least a rudimentary investigation into data theft.

When approaching a data theft investigation different areas need to be looked at, including:

  • Personal Email
  • Corporate Email
  • USB activity
  • Instant messaging
  • DVD burning
  • Hard drives being added
  • FTP access

These areas will be covered during the course of this series, however the first area to be covered is USB activity.


When a USB drive is first connected to computer the drivers need to be installed for it to work correctly and the device registered with thecomputer. Fortunately there is a log of this activity, this log is stored in the SETUPAPI.LOG.

The SETUPAPI.LOG keeps a record of a variety of changes of the hardware to a computer, including the first time a USB drive was connected to a computer. It records information about the drivers used, the make and model of the USB drive and the PID from the USB chip, which is almost unique and can be used to trace a USB drive. The file itself is a plain text log file, and so can be copied out and then keyword searched. However, due to the volume of information involved this is not an effective method.

A freely available tool to resolve this issue is  SAEX, produced by a senior forensic investigator (with both law enforcement and corporate experience).  This tool is able to take a SETUPAPI.LOG file and convert it to a spreadsheet, to allow filtering. This way activity, such as USB connections, can easily be determined [the file needs to be copied out from the image first, e.g. using EnCase or FTK and then SAEX can be pointed at file].

During investigations it should be remembered that the SETUPAPI.LOG file is a system level file, and does not record what the user did what, but rather what happened to the system. Other information, such as logs, need to be used to show a particular user was logged  in at a given time.

It should be noted that this log file only records when a USB device was first connected, NOT the last time it as connected (unless they are one and the same).

This can be a very important date during a forensic investigation. If, for example, an individual has been accused of data theft and on their last day of employment a series of new USB thumb drives can be seen being connected to the computer, red flags need to be raise . Equally, if the individual accused has been connecting USB drives thought their entire employment, this may show that it is is accepted within the company that people use thumb drives. Neither scenario proves or disproves guilt, but it can help build a picture of activity.

The Registry

The registry, as all forensic investigators will know, is a fantastic source of information, though very complex. This article is not suitable for a highly detailed discussion of the registry. It is enough to know, at this point, that the  ENUM\USB entry in the SYSTEM registry hive,  stores the last time the USB drive was last connected. There  can be problems with this registry date, e.g. if the computer was not turned off for several days and the USB drive was reconnected several times, or the computer was booted with the drive in,  these factors can result in an older date being provided, than the last time the USB drive was actually plugged in.

Later a more detailed article on these registry dates, and which drive letter has been assigned to that USB drive, will be covered.

Forensics: Rebuilding a Windows RAID with EnCase

Rebuilding a Windows Striped RAID in EnCase is incredibly simple. This is because the information about the RAID is kept within the hard drives, as its a software RAID. This is not the case for a hardware RAID, as the information about the drive configuration .

Note – A video guide on how to rebuild a hardware RAID will be on  the Where is Your Data? YouTube Channel  later this month.


Step 1: Add the striped drives to the case

Adding Striped Drives to EnCase

Adding Striped Drives to EnCase

Step2: Scan the disk configuration – right click one of the disks and select option (see screen shot)

Scan disk configuration with EnCase

Scan disk configuration with EnCase

Step 3: View the rebuilt RAID

Rebuilt RAID with EnCase

Rebuilt RAID with EnCase

Forensics: When is a bookmark not a bookmark in IE

The “Search Internet History” option in EnCase is an excellent function, and pulls back a lot of information very quickly. However, it can show misleading information, if its not interpreted correctly.

Looking for Internet History with EnCase

Looking for Internet History with EnCase

In the “bookmarks” section, which EnCase produces (under “Record”) Encase reports bookmarks, or URL shortcuts on the hard drive being examined.  Some people can interpret this as Bookmark that has been created manually, or is in the IE books marks tab. However this is not the case.

Some book marks are put their automatically, e. g the ubiquitous “” bookmark is in IE as a default.

Other bookmarks are not bookmarks at all. In the example shown below “Avast!” appear to be a bookmark in IE, but it is not. It is a shortcut is in the “program files” and its entirely possible that the user had no knowledge of it being there.

When a bookmark is not a bookmark

When a bookmark is not a bookmark

For this reason caution should be taken when explicitly stating that a bookmark proves knowledge of a website, or webaccess.

Add to Technorati Favorites

Forensics: Nintendo Wii

Attached is an paper by Dr Benjamin Turnball , describing the [computer] forensic anaylsis of a Nintendo Wii.

How do I Access EnCase Files?

E01 Files

Sometimes people in IT or in law firms will come across EnCase files, that have been provided by forensics companies. The question they will often ask is “How do you open an EnCase image? A video guide on using Encase to open E01 files is available here

E01  Identification

Firstly you must identify that you have an EnCase image. If the media provided contains a series of files, which all have the same name, but difference extensions,  and the first one is has the extension E01, then you have been provided with an EnCase Image.  After the “E01 file” each file has the same name but a different extension, increasing in increments. E02, E03, etc.


If the first file is called ExhibitA.E01, the second one will be ExhibitA.E02, and the third one will be ExhibtA.E03.

Regardless of how many files there are starting “ExhibitA” [or whatever the prefix is], if there is only one E01 files, there is only one image. The reason for the multiple files is that Encase can chunk up the image for ease of movement/storage.

Identifying the number of images

If the following files are on on the media  Disk1.E01, Disk1.E02, Disk1.E03, Disk2.E01, Disk2.E02, Disk3.E04 that means that there are two different images. Disk1 and Disk2.

Opening an E01 Image

EnCase images are not “raw” files and so can not be easily opened, they need to be viewed with a correct tool. The two best tools for this EnCase - which can only (legally) view an image with a full license  i.e. You have to pay for it (RRP £2,000 to £3,0000).

FTK Imager Lite, produced by AccessData which is free to use can also access EnCase images, and allow you to browse through the data.

Other tools, such as MountImagePro are also able to mount the files and virtual drive. This allows the user to browse through the files, can copy files off the image, as if it was a drive. This does not give full forensics capability, and if you want to investigate data theft or the like, this is not the tool for you. But does allow access to active files.


Get every new post delivered to your Inbox.

Join 29 other followers