Tuesday, October 21, 2014

Tracing User Activities

It would be great if we can have one tool that will be able to tell us what are the user activities or have done on the computer base on date!

May be we can start with this tool.

Name: LastActivityView by Nirsoft
URL: http://www.nirsoft.net/utils/computer_activity_view.htm

LastActivityView is a tool for Windows operating system that collects information from various sources on a running system, and displays a log of actions made by the user and events occurred on this computer. The activity displayed by LastActivityView includes: Running .exe file, Opening open/save dialog-box, Opening file/folder from Explorer or other software, software installation, system shutdown/start, application or system crash, network connection/disconnection and more...

Windows OS: When was a File Deleted?

Can dates of file deletion be obtained? Yes, sometimes.

In a computer forensics examination dates are almost always going to important. Every file on a modern Windows system has numerous dates, from the Created, Modified, Last Written, and Entry Modified dates in the NTFS, to the dates in Link file, registry entries, and folders.

“Was the file deleted before his resignation?”
“Was the file deleted before or after the data preservation order?”
“If the file was deleted on the 1st rather than the 31st, than that means there was a breach of a court order. Can you say when it was deleted?”

All of these questions are asking the same thing: “When was a file deleted?”

NTFS, the standard file system for Windows, does not record a deleted date, however the recycle bin does. When a file is deleted via the recycle bin (i.e when a user clicks delete for a file it is placed in the recycle bin) the recycle bin keeps track of the deletion of the file – when it happend, how big the file was, and where it came from. This information is stored within the INFO2 file of that recycle bin.

Therefore if a file was deleted via the recycle bin the date of deletion can be recovered.

However, if it is not deleted via a recycle bin, this information is not recorded.

Source URL: