Date and Time on a delete file
March 10th, 2014, 10:12
Hello
Quick question i just want to know if its possible to know the date and time on a delete file? Somebody at work deleted something and i want to know when it was delete.
Thanks
Quick question i just want to know if its possible to know the date and time on a delete file? Somebody at work deleted something and i want to know when it was delete.
Thanks
Re: Date and Time on a delete file
March 10th, 2014, 10:37
A few places you might look,
volume shadow copy tools exist..
I advise to at least listen to the podcast on shadow copies. very enlightening
resources here: http://malthus.zapto.org/viewtopic.php?f=101&t=220&p=535&hilit=shadow#p535
look at event log, depending on the granularity
or try and use a file recovery tool, recover it and see what the last mod, created, last access times are.
I think as time passes it is going to be increasingly hard to track it down
Also, One thing that is often overlooked is that after the effort is made to track down details such as this, nothing ever gets put in place to deal with it again. Take the opportunity to setup the eventlog auditing or however you do your fault tracing. The eventlog can track an enourmous number of things, and with an Active Directory domain and Group Policy, it is pretty easy to do.
volume shadow copy tools exist..
I advise to at least listen to the podcast on shadow copies. very enlightening
resources here: http://malthus.zapto.org/viewtopic.php?f=101&t=220&p=535&hilit=shadow#p535
look at event log, depending on the granularity
or try and use a file recovery tool, recover it and see what the last mod, created, last access times are.
I think as time passes it is going to be increasingly hard to track it down
Also, One thing that is often overlooked is that after the effort is made to track down details such as this, nothing ever gets put in place to deal with it again. Take the opportunity to setup the eventlog auditing or however you do your fault tracing. The eventlog can track an enourmous number of things, and with an Active Directory domain and Group Policy, it is pretty easy to do.
Last edited by HaQue on March 10th, 2014, 10:41, edited 1 time in total.
Re: Date and Time on a delete file
March 10th, 2014, 10:39
Thanks HaQue, i will verify.
Thank You.
Thank You.
Re: Date and Time on a delete file
March 10th, 2014, 12:21
Yo Spildit 
Re: Date and Time on a delete file
March 11th, 2014, 6:44
Hi Lobox,
If it is a casual check and if the file is still in Recycle Bin just right click and check properties - File Deletion time.
Be careful tho, the time stamp data can easily be modified and different operating systems handle file times differently. Some programs will set the MAC times to correspond with the original rather than the time the copy was made.
If you are to make an important decision, say, calling an employee a lair and firing him, it would be wise to get pro forensic advice first.
K
If it is a casual check and if the file is still in Recycle Bin just right click and check properties - File Deletion time.
Be careful tho, the time stamp data can easily be modified and different operating systems handle file times differently. Some programs will set the MAC times to correspond with the original rather than the time the copy was made.
If you are to make an important decision, say, calling an employee a lair and firing him, it would be wise to get pro forensic advice first.
K
Re: Date and Time on a delete file
March 11th, 2014, 7:08
Edit - typo: lair -> liar. not had enough coffee this morning :/
Re: Date and Time on a delete file
March 11th, 2014, 8:20
digitalferret wrote:Hi Lobox,
If it is a casual check and if the file is still in Recycle Bin just right click and check properties - File Deletion time.
Be careful tho, the time stamp data can easily be modified and different operating systems handle file times differently. Some programs will set the MAC times to correspond with the original rather than the time the copy was made.
If you are to make an important decision, say, calling an employee a lair and firing him, it would be wise to get pro forensic advice first.
K
Sup man, thank you for the information, I am not the one who is firing him, is somebody else, I was able to get the info erased, just checking the timestamps to know when it was deleted found a couple of links http://www.forensicfocus.com/forensic-a ... ecycle-bin will let you know in any case.
Re: Date and Time on a delete file
March 11th, 2014, 12:12
sup dude, thanks for the feedback.
tell boss to be careful.
been in court case where "bad" employee loses job and wins case for wrongful dismissal.
took around £100k GBP in compensation.
Filed against manager personally too in case company couldn't pay (manager could lose house/home etc)
Company closed not much later as loss of reputation practically ensured no new contracts came forward.
completely ****ing scandalous in my eyes. happens every day too i'm sure.
You screw up just this much > . <
Get advice from a pro to mitigate risk. make sure both yours and his insurance is up to date too.
good luck
K
tell boss to be careful.
been in court case where "bad" employee loses job and wins case for wrongful dismissal.
took around £100k GBP in compensation.
Filed against manager personally too in case company couldn't pay (manager could lose house/home etc)
Company closed not much later as loss of reputation practically ensured no new contracts came forward.
completely ****ing scandalous in my eyes. happens every day too i'm sure.
You screw up just this much > . <
Get advice from a pro to mitigate risk. make sure both yours and his insurance is up to date too.
good luck
K
Re: Date and Time on a delete file
March 11th, 2014, 12:49
Thanks @digitalferret for pointing out that critical information i will keep that in mind when talking to the boss.
Thank you once again.
Thank you once again.
Re: Date and Time on a delete file
March 12th, 2014, 8:26
Thanks @Spildit i will let you know the outcome.
Powered by phpBB © phpBB Group.