Can dates of file deletion be obtained? Yes, sometimes.
In a computer forensics examination dates are almost always going to important. Every file on a modern Windows system has numerous dates, from the Created, Modified, Last Written, and Entry Modified dates in the NTFS, to the dates in Link file, registry entries, and folders.
All of these dates can help build a picture of when files were accessed, but a common question from clients about dates is “When was a file deleted?”
NTFS, the standard file system for Windows, does not record a deleted date, however the recycle bin does. When a file is deleted via the recycle bin (i.e when a user clicks delete for a file it is placed in the recycle bin) the recycle bin keeps track of the deletion of the file – when it happend, how big the file was, and where it came from. This information is stored within the INFO2 file of that recycle bin.
Therefore if a file was deleted via the recycle bin the date of deletion can be recovered.
However, if it is not deleted via a recycle bin, this information is not recored.
When would a file not be deleted via the recycle bin?
This scenario could happen in several scenarios.
1) If the user presses “shit+del” on a file this deletes the file immediately and it does not go via the recycle bin.
2) System deletions. If Windows deletes a file it does not go via the Recycle Bin. A common exampe of this is deleting internet history, cookies, and temporary internet files
3) Application deletions. If wiping tools, e.g. evidence eliminator, are used to delete files these files do not go via the recycle bin either.
Can file deletion dates be determined by other methods.
If the information about date deletion cannot be obtained from the INFO2, then estimations about the files deletion can be made, from other dates. e.g the file will have been deleted sometime between the last accessed and point of collection.