Forensics: When was a File Deleted? Part 2

Following on from “When was a File Deleted? Part 1” this article discusses how the identify the data of files that have not been deleted, but not via the recycle bin (which maintains the date of deletion).

Why are all deleted files not in the recycle bin?

As discussed in the previous article there are a variety of reasons which files are deleted, but do not go  via the recycle

  1. System deletion: If the computer deletes files, automatically, e.g as part of the routine cleanup, the files do not go via the recycle bin
  2. User initiated system deletion: If a user clears the internet history, or uninstalls a program, then the system deletes files. These files do not go to the recycle bin.
  3. Third party tools: If an individual runs a deletion tool such as EvidenceEliminator those files that are deleted do not go via the recycle bin. Therefore their dates of deletion are not recorded (in the recycle bin, though they may be elsewhere, see Part 2)
  4. Shift-Delete: If a user presses shift and delete when deleting a file it is“hard deleted”, this means that the file does not go to the recycle bin, it is simply deleted. In this case the dates of deletion are not recorded by the recycle bin.

Potential methods to detect the deleted dates are discussed below

  1. System deletion:
    1. Probably the most common example of a file being deleted by the system and being of interest, will be the internet cache. Firefox and IE can be set to automatically delete the data after a set period of one. One method to approach this is to look at the date of the file creation and then look (in the recovered FAT/MFT entry) and compare that the duration of the internet cache storage. The latter value is in  registry. This combined with looking at the access date, should give a good indication of when data we deleted. Do not take this date by itself. There are so many caveats about dates that it would take a whole article to cover them. Suffice to say that caution should be used and other sources of information should be used to try and verify a time.
  2. User initiated system deletion:
    1. If uninstalls a program, then there is no recorded deletion date for the files deleted during the process. But there are methods to try and determine this.
      1. System Restore. The system restore files keep track of what is installed by looking back the old software hives can give a good indication of when something was deleted. Example if “Outlook” exists in the Software hive for 1st and 2nd Feb 09 but not for the 4th, 5th of 6th, is entirely plausible that that Outlook was uninstalled between the 2nd and 4th.
    2. Logs. Uninstalling applications, as well as installing an application can create logs ,there may be one available
    3. Mass Activity. Look for evidence of recent mass activity. Do all of the deleted files have a last access around the same time? [A time different from the creation /modification date].
  3. Third party tools:
    1. Tools such as EvidenceEliminator are rarely run in the best way to ensure that all traces of a file are deleted. It may be that a file is deleted, and wiped, but evidence of the file can often still exist, and some of the methods in the section “Shift-Delete” below can still be used. In addition to those methods, the following techniques can be considered when trying to identify the deletion date.
      1. If the file was wiped it means that the  wiping must have occurred after the wiping tool was installed. Look for installation dates of the installed software
      2. How does the wiping tool work? Does it write zeros to the file first, and then delete it? If so the wiping date could be the last modified date
      3. Are there logs. Amazingly some wiping tools keep deleted logs. Look for this. Even if they are not there they may have been deleted, but not wiped, search for those.
  4. Shift-Delete:
    1. This  methods discussed here can be used in conjunction with the methods used above (if applicable). This is the scenario where a file has been deleted, e.g. a word document, but there is no date of deletion. No recycle bin entry. No log files. Just a file that has been deleted. The following information should be considered when trying to assess the deleted dates.
      1. A file cannot be accessed after it has been deleted. Therefore the file was deleted on or after the last accessed date and before the date the computer was last used. This could be a very narrow time widow (or it could be quite large, but it’s a good starting point)
      2. If the access date has not been tripped (e.g it’s been switched off), look for other evidence of access, such as Link files, or MRU in the registry entries. The modified date can also provide useful.
      3. Use the System Restore and NTUSER.DAT files to build up a picture of access to a file.
      4. Look for evidence of searching for a file. If a person wants to delete certain types of file they may well conduct searches. E.g. search for “*.DOC” or “*Account*.XLS”. Evidence of file searches conducted, via Windows, are stored in the registry. These can give great insight into a user.

Combine all the available information together

Often no one piece of information is going to be a silver bullet, rather there will be lots of information that needs to be pulled together to create evidence of a probably date.

A working example

A computer investigation is requested and a desktop, at a large company, is imaged on 20th August 2009. Following a brief investigation it is determined that the file “Accounts.DOC” was deleted. The client wants to know when this occurred.

The following information is recovered:

  • The created date of the file, from the MFT entry, is 10th June 2009
  • The last modified date, from the MFT,  is 30th July 2009
  • The last accessed date was the 31st July 2009
  • The computer was shutdown on 9am 3rd August 2009.
  • The computer was power on 19th August but no nobody appears to have logged on
  • The computer was imaged on 20th August 2009

Additional information:

1st and 2nd August 2009 were a Saturday and Sunday. The user did not have access to the office on the weekend (there was no remote access either)

The IT department turned off the user’s computer on 9am, following a request from HR The IT dept also admitted powering on the computer, in error, on 19th August 2009.

In this rather simplistic scenario it is probable that the file was deleted on 31st July 2009, because there was no other time to conduct the deletion by the user, as there was no access to the computer after that date.

Overall look for dates, lots of them. Produce  a time line of when the file was accessed, and when it was no longer accessed. Then look at dates the user could not have accessed the comptuer. Logs, leave, login information, etc. This will narrow the dates, but rarely will there be a specific date.


One Response to “Forensics: When was a File Deleted? Part 2”

  1. Forensics: When was a File Deleted? Part 1 « Data – Where is it? Says:

    […] Part 2 will cover the issue of determining the deletion dates of files that are deleted via the recycle in. […]

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: