LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices



Reply
 
Search this Thread
Old 10-19-2010, 07:16 AM   #1
lovsis
LQ Newbie
 
Registered: Oct 2010
Posts: 5

Rep: Reputation: 0
Post detect file deletion on an operating system and trace the file history or activity?


i am investigating on solutions to trace a file deletion on a computer( Linux O/S).
i also need to determine weither after a file deletion or download on a computer, the computer clock had not been modified.
In case a file has been downloaded on a computer and then transferred to a removable device, i need to find out the file activity. i mean i should be able to tell that the file was downloaded and transferred to a device with possible specifications.
Any suggestion is accepted
thanks
 
Old 10-19-2010, 09:49 AM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,744
Blog Entries: 54

Rep: Reputation: 2973Reputation: 2973Reputation: 2973Reputation: 2973Reputation: 2973Reputation: 2973Reputation: 2973Reputation: 2973Reputation: 2973Reputation: 2973Reputation: 2973
Welcome to LQ, hope you like it here.

Quote:
Originally Posted by lovsis View Post
i am investigating
For what purpose? Home? Work? Homework?
And what have your investigations turned up so far?
Did you search this forum by any chance?


Quote:
Originally Posted by lovsis View Post
trace a file deletion on a computer( Linux O/S).
What distribution and version?
And what syscalls deal with file deletion?


Quote:
Originally Posted by lovsis View Post
determine weither (..) the computer clock had not been modified.
How would you usually detect clock skew?
And without using NTP?


Quote:
Originally Posted by lovsis View Post
be able to tell that the file was downloaded and transferred to a device
What syscalls deal with file creation?
And copying?
 
Old 10-19-2010, 09:52 AM   #3
frndrfoe
Member
 
Registered: Jan 2008
Distribution: RHEL, CentOS
Posts: 375

Rep: Reputation: 38
Are you familiar with computer forensics? You can gather evidence and make conclusions based on what you find but the biggest challenge in my opinion is determining what is _good_ evidence.
If you have what may be a cit-able offense on your hands I would first get a dd copy of the drive preferably using a write blocker. Then if you are running Ubuntu, you can install the forensics toolkit (FTK) using apt-get which includes Autopsy.
Get a timeline of your filesystem and you will be able to see with a combination of logs and timeline investigations when the important file was accessed and how it corresponds to other activities on the machine like nfs mounts, accessing webmail, inserting USB thumb drives, etc...
It is not a trivial task and I would recommend contracting someone with experience if it is important enough.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Any log file for checking file permission change history in RHEL 5.1? bilalcochin Linux - Newbie 3 04-02-2010 10:57 AM
Best File System for Large Drives and Multiple Operating Systems. Gonzee Linux - General 3 06-09-2009 06:53 AM
tcsh: can you save the history from multiple shells to one history file? BrianK General 2 04-23-2009 06:19 AM
Total Noob Question (Operating System vs File System) fuzzy1 Linux - Newbie 14 02-06-2009 11:33 AM
making the help file for new operating system anil2003 Linux - Software 4 01-31-2006 01:35 PM


All times are GMT -5. The time now is 09:23 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration