detect file deletion on an operating system and trace the file history or activity?
i am investigating on solutions to trace a file deletion on a computer( Linux O/S).
i also need to determine weither after a file deletion or download on a computer, the computer clock had not been modified.
In case a file has been downloaded on a computer and then transferred to a removable device, i need to find out the file activity. i mean i should be able to tell that the file was downloaded and transferred to a device with possible specifications.
Any suggestion is accepted
Welcome to LQ, hope you like it here.
And what have your investigations turned up so far?
Did you search this forum by any chance?
And what syscalls deal with file deletion?
And without using NTP?
Are you familiar with computer forensics? You can gather evidence and make conclusions based on what you find but the biggest challenge in my opinion is determining what is _good_ evidence.
If you have what may be a cit-able offense on your hands I would first get a dd copy of the drive preferably using a write blocker. Then if you are running Ubuntu, you can install the forensics toolkit (FTK) using apt-get which includes Autopsy.
Get a timeline of your filesystem and you will be able to see with a combination of logs and timeline investigations when the important file was accessed and how it corresponds to other activities on the machine like nfs mounts, accessing webmail, inserting USB thumb drives, etc...
It is not a trivial task and I would recommend contracting someone with experience if it is important enough.
|All times are GMT -5. The time now is 10:39 AM.|