.

tool to trace users

<<

manju_salian

User avatar

Jr. Member
Jr. Member

Posts: 89

Joined: Mon Apr 09, 2007 1:31 am

Post Fri Jan 02, 2009 1:54 am

tool to trace users

Hi
  I am facing a challenge of recovering a deleted files. Is there any tools which can trace the users who had accessed and deleted the files of remote machine.
Kindly suggest if any

Thanks
<<

shednik

Jr. Member
Jr. Member

Posts: 75

Joined: Thu Sep 11, 2008 7:30 am

Post Fri Jan 02, 2009 8:46 am

Re: tool to trace users

Is auditing service turned on, on the remote server?
Last edited by shednik on Fri Jan 02, 2009 9:32 am, edited 1 time in total.
CCNA, MCP, A+, N+

WIP: Masters of Infosec, CEH, & Mastering C
<<

blackazarro

User avatar

Sr. Member
Sr. Member

Posts: 368

Joined: Sun Aug 13, 2006 5:31 pm

Post Fri Jan 02, 2009 9:30 am

Re: tool to trace users

There are a number of free and commercial tools out there that can help you extract and correlate bits and pieces of information from the system being investigated that eventually will point you to the user that deleted the files. I'm not sure if there is one that can automatically tell you the user who didn't.

However, the most important thing is that you extract the hidden INFO2 files from the subject host, using Helix Live CD for example. Every user in the system will have this file created the first time the Recycle Bin used. The purpose of this file is to track deleted files and folders original location, as well as file size and deletion time. This makes it possible to relate the deleted files with specific users.
Security+, OSCP, CEH
<<

don

User avatar

Administrator
Administrator

Posts: 4226

Joined: Sun Aug 28, 2005 10:47 pm

Location: Chicago

Post Fri Jan 02, 2009 10:28 am

Re: tool to trace users

Hey blackazarro,

Sounds like a great tutorial for our readers.  ;)

Don
CISSP, MCSE, CSTA, Security+ SME
<<

blackazarro

User avatar

Sr. Member
Sr. Member

Posts: 368

Joined: Sun Aug 13, 2006 5:31 pm

Post Fri Jan 02, 2009 11:13 am

Re: tool to trace users

  Code:
Sounds like a great tutorial for our readers.


Yeah... but I'm not an expert yet. Just little things I know.

Hack_80, I forgot to mention that the INFO2 file is useful if the deleted files are automatically moved to the Recycle Bin. If the user deleted the files from a remote command prompt or the Recycle Bin is configured to remove files immediately when they are deleted then the INFO2 it will be of no use. There other methods as well to prevent from sending it to the Recycle Bin.

Now since this user accessed the host remotely via shares or whatever, I wonder if there's an entry to the INFO2 file if files/folders are deleted. Hmmm...
Last edited by blackazarro on Fri Jan 02, 2009 11:26 am, edited 1 time in total.
Security+, OSCP, CEH
<<

blackazarro

User avatar

Sr. Member
Sr. Member

Posts: 368

Joined: Sun Aug 13, 2006 5:31 pm

Post Fri Jan 02, 2009 11:41 am

Re: tool to trace users

A tool from Foundstone for analyzing INFO2 files:

Rifiuti v1.0
Security+, OSCP, CEH
<<

pseud0

User avatar

Recruiters
Recruiters

Posts: 210

Joined: Sat Nov 17, 2007 8:26 pm

Location: Detroit, Michigan

Post Fri Jan 02, 2009 12:26 pm

Re: tool to trace users

Hack_80, can you provide any additional information about the platforms involved and the access method used?  Did the user have access to that file via: remote desktop, shared drives, remote shell, citrix, etc, etc, etc...?  Were these windows/UNIX/etc boxes?  Your answers to those questions are going to dictate where you'd go to get the relevant data. 
CISSP, CISM, CISA, GCIH, GREM, CEH, HMFIC, KTHXBIROFLCOPTER
<<

manju_salian

User avatar

Jr. Member
Jr. Member

Posts: 89

Joined: Mon Apr 09, 2007 1:31 am

Post Sat Jan 03, 2009 4:42 am

Re: tool to trace users

Hi,
  the files deleted from windows 2000 adv server with SP4.
<<

pseud0

User avatar

Recruiters
Recruiters

Posts: 210

Joined: Sat Nov 17, 2007 8:26 pm

Location: Detroit, Michigan

Post Sat Jan 03, 2009 11:08 am

Re: tool to trace users

first things first, have you made am image of the drive?  If you're primary concern is to recover the file then you need to get the drive imaged ASAP if that system is still in use.  Otherwise you'll just write over parts of it at some point.  Do you have access to some UNIX/Linux/BSD system that will let you do a simple dd?  As long as nobody has played with the drive too much then you should be able to pull the file right back off.
CISSP, CISM, CISA, GCIH, GREM, CEH, HMFIC, KTHXBIROFLCOPTER

Return to Tools

Who is online

Users browsing this forum: No registered users and 0 guests

cron
.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software