[sleuthkit-users] Evidence of partition formatting and/or (massive) file deletion
Brought to you by:
carrier
Menu
▾
▴
[sleuthkit-users] Evidence of partition formatting and/or (massive) file deletion
|
From: Hervé Le G. <hl...@fr...> - 2014-02-26 21:58:44
|
Hi, I have started investigating a laptop PC (Windows 7 Pro) that has been "cleaned" before being given back to its legitimate owner, and I have a couple of questions for the cognoscenti: 1) I would need to find out whether some formatting has been performed "recently" and, if yes, when that formatting occurred on this or that volume/partition, 2) Since Photorec finds lots of deleted files on the .dd image I created (Caine + Guymager), it would be useful indeed to know when (date and time) these files were deleted, I understand Windows doesn't record the date/time files were deleted but there must be ways to narrow down the possibilities for such a "massive" deleting action to have been performed. I have imaged the hard drive (Caine + Guymager) and used Autopsy to ingest the .dd file When using its Timeline tool, I can definitely see two days of "intense" activity, right before the PC was given back to its owner, amidst a "desert" of no activity whatsoever in the days/weeks before and after these two days, and I guess it's during these two days that the "cleaning" was performed. I mean, it's pretty clear that for this 2 years laptop to be totally empty of word, excel and pdf files, while Photorec digs out thousands of them, some major cleaning must have been performed, but the question of the date (and, possibly, of the kind of command or application s/w used to do the cleaning) is the one I'd like to address. Help would/will be greatly appreciated, Many thanks in advance, Hervé --- Ce courrier électronique ne contient aucun virus ou logiciel malveillant parce que la protection avast! Antivirus est active. http://www.avast.com |
