tool to trace users

Viewing 8 reply threads
  • Author
    Posts
    • #3160
      maddy
      Participant

      Hi
        I am facing a challenge of recovering a deleted files. Is there any tools which can trace the users who had accessed and deleted the files of remote machine.
      Kindly suggest if any

      Thanks

    • #21121
      shednik
      Participant

      Is auditing service turned on, on the remote server?

    • #21122
      blackazarro
      Participant

      There are a number of free and commercial tools out there that can help you extract and correlate bits and pieces of information from the system being investigated that eventually will point you to the user that deleted the files. I’m not sure if there is one that can automatically tell you the user who didn’t.

      However, the most important thing is that you extract the hidden INFO2 files from the subject host, using Helix Live CD for example. Every user in the system will have this file created the first time the Recycle Bin used. The purpose of this file is to track deleted files and folders original location, as well as file size and deletion time. This makes it possible to relate the deleted files with specific users.

    • #21123
      Don Donzal
      Keymaster

      Hey blackazarro,

      Sounds like a great tutorial for our readers.  😉

      Don

    • #21124
      blackazarro
      Participant
      Sounds like a great tutorial for our readers. 

      Yeah… but I’m not an expert yet. Just little things I know.

      Hack_80, I forgot to mention that the INFO2 file is useful if the deleted files are automatically moved to the Recycle Bin. If the user deleted the files from a remote command prompt or the Recycle Bin is configured to remove files immediately when they are deleted then the INFO2 it will be of no use. There other methods as well to prevent from sending it to the Recycle Bin.

      Now since this user accessed the host remotely via shares or whatever, I wonder if there’s an entry to the INFO2 file if files/folders are deleted. Hmmm…

    • #21125
      blackazarro
      Participant

      A tool from Foundstone for analyzing INFO2 files:

      Rifiuti v1.0

    • #21126
      pseud0
      Participant

      Hack_80, can you provide any additional information about the platforms involved and the access method used?  Did the user have access to that file via: remote desktop, shared drives, remote shell, citrix, etc, etc, etc…?  Were these windows/UNIX/etc boxes?  Your answers to those questions are going to dictate where you’d go to get the relevant data. 

    • #21127
      maddy
      Participant

      Hi,
        the files deleted from windows 2000 adv server with SP4.

    • #21128
      pseud0
      Participant

      first things first, have you made am image of the drive?  If you’re primary concern is to recover the file then you need to get the drive imaged ASAP if that system is still in use.  Otherwise you’ll just write over parts of it at some point.  Do you have access to some UNIX/Linux/BSD system that will let you do a simple dd?  As long as nobody has played with the drive too much then you should be able to pull the file right back off.

Viewing 8 reply threads
  • You must be logged in to reply to this topic.

Copyright ©2020 Caendra, Inc.

Contact Us

Thoughts, suggestions, issues? Send us an email, and we'll get back to you.

Sending

Sign in with Caendra

Forgot password?Sign up

Forgot your details?