Tuesday, October 21, 2014

Windows OS: When was a File Deleted?

Can dates of file deletion be obtained? Yes, sometimes.

In a computer forensics examination dates are almost always going to important. Every file on a modern Windows system has numerous dates, from the Created, Modified, Last Written, and Entry Modified dates in the NTFS, to the dates in Link file, registry entries, and folders.

“Was the file deleted before his resignation?”
“Was the file deleted before or after the data preservation order?”
“If the file was deleted on the 1st rather than the 31st, than that means there was a breach of a court order. Can you say when it was deleted?”

All of these questions are asking the same thing: “When was a file deleted?”

NTFS, the standard file system for Windows, does not record a deleted date, however the recycle bin does. When a file is deleted via the recycle bin (i.e when a user clicks delete for a file it is placed in the recycle bin) the recycle bin keeps track of the deletion of the file – when it happend, how big the file was, and where it came from. This information is stored within the INFO2 file of that recycle bin.

Therefore if a file was deleted via the recycle bin the date of deletion can be recovered.

However, if it is not deleted via a recycle bin, this information is not recorded.

Source URL:
http://whereismydata.wordpress.com/2009/04/02/forensics-deleted-dates/
http://whereismydata.wordpress.com/2009/08/16/forensics-when-was-a-file-deleted-part-1/
http://whereismydata.wordpress.com/2009/08/17/forensics-when-was-a-file-deleted-part-2/

No comments:

Post a Comment