NTFS Drive: When was data deleted?

Networking/Security Forums -> Computer Forensics and Incident Response

Author: hiko PostPosted: Mon Jun 30, 2008 11:19 pm    Post subject: NTFS Drive: When was data deleted?
    ----
Hi everybody,

I've got two systems:
- Windows XP Pro
- Windows Vista Home Premium

Some directories where deleted at some point. I've managed to succesfully restore the data but i can't figure out when were the directories deleted.

I think that in NTFS File systems, if file auditing is not turned on previously, there is no way to find the date of deletion. it's just not stored.

I'm correct? Please help.

hiko

Author: Mongrel PostPosted: Fri Aug 08, 2008 7:15 am    Post subject:
    ----
You may be right about auditing but THIS PAPER (page 6) discusses
Deleted Date and Timestamp on M$ files in the Recycle Bin. There may be
some help for you there.

In most apps that recover deleted data a date deleted is shown in the
logfile during the recovery process.

Can't stress it enough but THIS GOOGLE sent me there.



Networking/Security Forums -> Computer Forensics and Incident Response


output generated using printer-friendly topic mod, All times are GMT + 2 Hours

Page 1 of 1

Powered by phpBB 2.0.x © 2001 phpBB Group