File Deletion

This section cannot be readily mitigated at a system level with preventive controls since it is based on the abuse of fundamental features of the system.

Audit Daemon (auditd) is a powerful tool in Linux for tracking and logging system events, including file access. It’s part of the Linux Auditing System, which provides detailed and customizable logging of various types of system activity.

Below is an example auditd rule to detect file access:

sudo nano /etc/audit/rules.d/audit.rules
Opens the auditd rules file with the Nano editor. Add the following line:

-w /path/to/directory -p war -k file_access

-w specifies the file or directory to monitor

-p specifies the permissions to monitor (write, attribute change, read)

-k specifies the key to help identify the rule

To review audit logs related to this rule, we can use ausearch (ausearch -k file_access) or read and retrieve lines from the raw audit logs with grep (sudo grep file_access /var/log/audit/audit.log).

Windows Jump Lists are a feature that provides quick access to recently or frequently used files.

LNK files or Shortcut files are stored in the location C:\Users\<user>\AppData\Roaming\Microsoft\Windows\Recent Items and have the “.lnk” file extension.

These files are automatically created when a user account accesses a file through Windows Explorer.

This artifact can provide information as to when a file was accessed, modified, and created, the file path and name, and the file size. .LNK files persist even if the actual file has been deleted, helping to uncover if a file has been accessed then subsequently deleted or moved as it is no longer present in the recorded full file path.

In modern versions of the Windows operating system, the prefetch feature serves an important function in speeding up the run time of applications. It does this by creating a cache of information on an application on its first run that is is stored for later reference in c:\windows\prefetch, these files are created with the extension .pf and have the following format <EXECUTABLE>-<HASH>.pf.

These created files contain the created and modified timestamps of the respective file, the file size, process path, how many times it has been run, the last time it was run, and resources it references in the first 10 seconds of execution.

Since every executable that is run will have a prefetch file created when the feature is enabled, the prefetch directory and the contents within it can offer new and valuable insights during an investigation, particularly when the original executable no longer exists.

On Windows 10, we can find the Recycle Bin directory for all users located at C:\$Recycle.Bin. Insider this location are sub-folders using user account SIDs for the naming convention. To get a list of user accounts on a system Windows Management Instrumentation Command (WMIC) can be used: wmic useraccount get name,SID.

Files that begin with $R followed by a random string contain the true file contents of the recycled file.

Files that begin with $I and end in the same string as the $R file counterpart contain the metadata for that specific file, such as the original filename, path, size, and timestamp of when the file was deleted.

If the user has emptied the Recycle Bin, we lose this artifact and cannot analyze it. Instead, we would need to carve these files from a disk image.

Thumbnail Cache, a feature introduced in Windows operating systems starting with Windows Vista, enhances the user experience by caching thumbnail images of files. This functionality, when enabled, speeds up and makes loading these images more efficient in various views, such as File Explorer, by generating preview images or thumbnails for various multimedia files.

This artifact can provide evidence of the presence of files even if they have been deleted.