Main

How did the file get deleted and what to do about it.

  • General / Background on file structures and identification of deleted files
  1. NIST - white paper describing 'Active File Identification & Deleted File Recovery' https://www.cftt.nist.gov/DFR-req-1.1-pd-01.pdf https://www.cftt.nist.gov/DeletedFileRecovery.htm
  2. PC based tools for file recovery (such as Recuva)
    1. Reviewed at http://www.techsupportalert.com/best-free-data-recovery-file-undelete-utility.htm
    2. Previous Files Recovery by NirSoft http://www.nirsoft.net/utils/previous_files_recovery.html
  3. PC tools for secure file deletion are a 90 degree view of this same issue. See the explanation provided by Mark Russinovich of Microsoft for how Secure Delete works at https://technet.microsoft.com/en-us/sysinternals/sdelete.aspx
  • Event Logs
  1. create a Local Security Policy for Audit Policy to Audit Object Access - this will log events to the Security Event Logs
  2. Enable auditing for a User/Group and enable for a folder that you want to track
    1. an old (2006) but a good overview of the process: http://sogeeky.blogspot.com/2006/07/how-to-audit-and-track-file-deletions.html
    2. Initial setup of Windows Security Auditing https://eventlogxp.com/essentials/securityauditing.html
      1. Advanced Security Audit Policy Settings https://technet.microsoft.com/en-us/library/dn319056.aspx
    3. Tracking down who removed files https://eventlogxp.com/blog/tracking-down-who-removed-files/
    4. Steps in the process
      1. Create the auditing policy (Audit object access in Security Settings / Local Policies / Audit Policy)
      2. "success" is what you will monitor, i.e. successfully deleting a file or folder
      3. Can enable auditing for a specific User or Group (or just default to everyone)
      4. In the top level folder to track: Properties / Security / Advanced / Auditing (Admin access?) / Add Events to audit ... apply to sub-folders and files
      5. Use the Event Logs to monitor (filtering of the results will be important)
    5. Event Log Explorer (free for personal use) https://eventlogxp.com/

Total Count: 472405 | Page Views: 99

New and Changed:

    See also Computer Forensics Tools


    Backlinks

    A writer is somebody for whom writing is more difficult than it is for other people.

    Thomas Mann

    Page Views: 99 | << | Trail Index | >> | HomeLinks