LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (http://www.linuxquestions.org/questions/linux-security-4/)
-   -   detect file deletion on an operating system and trace the file history or activity? (http://www.linuxquestions.org/questions/linux-security-4/detect-file-deletion-on-an-operating-system-and-trace-the-file-history-or-activity-839017/)

lovsis 10-19-2010 06:16 AM

detect file deletion on an operating system and trace the file history or activity?
 
i am investigating on solutions to trace a file deletion on a computer( Linux O/S).
i also need to determine weither after a file deletion or download on a computer, the computer clock had not been modified.
In case a file has been downloaded on a computer and then transferred to a removable device, i need to find out the file activity. i mean i should be able to tell that the file was downloaded and transferred to a device with possible specifications.
Any suggestion is accepted
thanks

unSpawn 10-19-2010 08:49 AM

Welcome to LQ, hope you like it here.

Quote:

Originally Posted by lovsis (Post 4132326)
i am investigating

For what purpose? Home? Work? Homework?
And what have your investigations turned up so far?
Did you search this forum by any chance?


Quote:

Originally Posted by lovsis (Post 4132326)
trace a file deletion on a computer( Linux O/S).

What distribution and version?
And what syscalls deal with file deletion?


Quote:

Originally Posted by lovsis (Post 4132326)
determine weither (..) the computer clock had not been modified.

How would you usually detect clock skew?
And without using NTP?


Quote:

Originally Posted by lovsis (Post 4132326)
be able to tell that the file was downloaded and transferred to a device

What syscalls deal with file creation?
And copying?

frndrfoe 10-19-2010 08:52 AM

Are you familiar with computer forensics? You can gather evidence and make conclusions based on what you find but the biggest challenge in my opinion is determining what is _good_ evidence.
If you have what may be a cit-able offense on your hands I would first get a dd copy of the drive preferably using a write blocker. Then if you are running Ubuntu, you can install the forensics toolkit (FTK) using apt-get which includes Autopsy.
Get a timeline of your filesystem and you will be able to see with a combination of logs and timeline investigations when the important file was accessed and how it corresponds to other activities on the machine like nfs mounts, accessing webmail, inserting USB thumb drives, etc...
It is not a trivial task and I would recommend contracting someone with experience if it is important enough.


All times are GMT -5. The time now is 07:58 PM.