LinuxQuestions.org
Visit the LQ Articles and Editorials section
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
LinkBack Search this Thread
Old 10-19-2010, 06:16 AM   #1
lovsis
LQ Newbie
 
Registered: Oct 2010
Posts: 5

Rep: Reputation: 0
Post detect file deletion on an operating system and trace the file history or activity?


i am investigating on solutions to trace a file deletion on a computer( Linux O/S).
i also need to determine weither after a file deletion or download on a computer, the computer clock had not been modified.
In case a file has been downloaded on a computer and then transferred to a removable device, i need to find out the file activity. i mean i should be able to tell that the file was downloaded and transferred to a device with possible specifications.
Any suggestion is accepted
thanks
 
Old 10-19-2010, 08:49 AM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 26,524
Blog Entries: 51

Rep: Reputation: 2601Reputation: 2601Reputation: 2601Reputation: 2601Reputation: 2601Reputation: 2601Reputation: 2601Reputation: 2601Reputation: 2601Reputation: 2601Reputation: 2601
Welcome to LQ, hope you like it here.

Quote:
Originally Posted by lovsis View Post
i am investigating
For what purpose? Home? Work? Homework?
And what have your investigations turned up so far?
Did you search this forum by any chance?


Quote:
Originally Posted by lovsis View Post
trace a file deletion on a computer( Linux O/S).
What distribution and version?
And what syscalls deal with file deletion?


Quote:
Originally Posted by lovsis View Post
determine weither (..) the computer clock had not been modified.
How would you usually detect clock skew?
And without using NTP?


Quote:
Originally Posted by lovsis View Post
be able to tell that the file was downloaded and transferred to a device
What syscalls deal with file creation?
And copying?
 
Old 10-19-2010, 08:52 AM   #3
frndrfoe
Member
 
Registered: Jan 2008
Distribution: RHEL, CentOS
Posts: 373

Rep: Reputation: 38
Are you familiar with computer forensics? You can gather evidence and make conclusions based on what you find but the biggest challenge in my opinion is determining what is _good_ evidence.
If you have what may be a cit-able offense on your hands I would first get a dd copy of the drive preferably using a write blocker. Then if you are running Ubuntu, you can install the forensics toolkit (FTK) using apt-get which includes Autopsy.
Get a timeline of your filesystem and you will be able to see with a combination of logs and timeline investigations when the important file was accessed and how it corresponds to other activities on the machine like nfs mounts, accessing webmail, inserting USB thumb drives, etc...
It is not a trivial task and I would recommend contracting someone with experience if it is important enough.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are Off
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Any log file for checking file permission change history in RHEL 5.1? bilalcochin Linux - Newbie 3 04-02-2010 09:57 AM
Best File System for Large Drives and Multiple Operating Systems. Gonzee Linux - General 3 06-09-2009 05:53 AM
tcsh: can you save the history from multiple shells to one history file? BrianK General 2 04-23-2009 05:19 AM
Total Noob Question (Operating System vs File System) fuzzy1 Linux - Newbie 14 02-06-2009 10:33 AM
making the help file for new operating system anil2003 Linux - Software 4 01-31-2006 12:35 PM


All times are GMT -5. The time now is 08:06 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration