File Deletion

This section cannot be readily mitigated at a system level with preventive controls since it is based on the abuse of fundamental features of the system.

Audit Daemon (auditd) is a powerful tool in Linux for tracking and logging system events, including file access. It’s part of the Linux Auditing System, which provides detailed and customizable logging of various types of system activity.

Below is an example auditd rule to detect file access:

sudo nano /etc/audit/rules.d/audit.rules
Opens the auditd rules file with the Nano editor. Add the following line:

-w /path/to/directory -p war -k file_access

-w specifies the file or directory to monitor

-p specifies the permissions to monitor (write, attribute change, read)

-k specifies the key to help identify the rule

To review audit logs related to this rule, we can use ausearch (ausearch -k file_access) or read and retrieve lines from the raw audit logs with grep (sudo grep file_access /var/log/audit/audit.log).

Every volume connected to a macOS system maintains a File System Events (FSEvents) Store Database, which records file system changes on that volume. This includes file and folder creation, renaming, modifications, movement, extractions (e.g., unzipping archives), deletions, emptying the Trash, and volume mounting or unmounting.

FSEvents is a macOS-specific API that allows applications to register for notifications of file system changes within a specified directory tree. This mechanism enables efficient tracking of modifications without requiring constant disk scanning, which would be computationally expensive.

At the kernel level, file system changes trigger notifications that are passed via the special device file /dev/fsevents to a user-space process called fseventsd. This process consolidates multiple related events within a short timeframe and writes them to the .fseventsd directory on the affected volume. Applications that have registered for file system monitoring can then receive event notifications asynchronously.

FSEvents functions as a high-level journaling system, maintaining a chronological record of file system activity. While it does not capture file contents or granular metadata changes, it logs file paths and event types, making it an essential artifact in macOS forensic investigations.

FSEvents can be leveraged to:

• Identify previously deleted files by analyzing logged file paths.
• Reconstruct user activity, such as accessing, modifying, or moving files.
• Detect unauthorized file operations, including potential data exfiltration or policy violations.
• Correlate timestamps of file activity with other forensic artifacts, such as Unified Logs or APFS transaction logs.

The FSEvents database is stored on each volume at the following locations:

• macOS versions below Big Sur: /.fseventsd/
• macOS Big Sur and later: /System/Volumes/Data/.fseventsd/

Each directory contains event logs in a proprietary binary format, which requires parsing with specialist tools such as FSEventsParser, mac_apt, or custom scripts using Apple’s FSEvents API.

There are some limitations to consider:

• Limited Visibility: FSEvents logs file paths and event types but not file contents, timestamps of individual changes, or user context (e.g., which process or user performed an action).
• Higher-Level Logging: Unlike APFS transaction logs, which provide more granular tracking of file system changes at the block level, FSEvents operates at a higher level and may miss certain low-level modifications.
• Permission Restrictions: Accessing .fseventsd directories requires root or administrative privileges, making forensic analysis challenging without elevated permissions.
• Log Retention: Event history is automatically purged based on system activity and disk space, meaning older records may not be available for long-term analysis.

FSEvents is a critical forensic artifact in macOS investigations, providing valuable insight into file system activity without requiring persistent monitoring tools. While it has limitations compared to lower-level logging mechanisms, its ability to track file system events across entire directory structures makes it invaluable for reconstructing user actions and identifying unauthorized file operations.

Windows Jump Lists are a feature that provides quick access to recently or frequently used files.

LNK files or Shortcut files are stored in the location C:\Users\<user>\AppData\Roaming\Microsoft\Windows\Recent Items and have the “.lnk” file extension.

These files are automatically created when a user account accesses a file through Windows Explorer.

This artifact can provide information as to when a file was accessed, modified, and created, the file path and name, and the file size. .LNK files persist even if the actual file has been deleted, helping to uncover if a file has been accessed then subsequently deleted or moved as it is no longer present in the recorded full file path.

In modern versions of the Windows operating system, the prefetch feature serves an important function in speeding up the run time of applications. It does this by creating a cache of information on an application on its first run that is is stored for later reference in c:\windows\prefetch, these files are created with the extension .pf and have the following format <EXECUTABLE>-<HASH>.pf.

These created files contain the created and modified timestamps of the respective file, the file size, process path, how many times it has been run, the last time it was run, and resources it references in the first 10 seconds of execution.

Since every executable that is run will have a prefetch file created when the feature is enabled, the prefetch directory and the contents within it can offer new and valuable insights during an investigation, particularly when the original executable no longer exists.

On Windows 10, we can find the Recycle Bin directory for all users located at C:\$Recycle.Bin. Insider this location are sub-folders using user account SIDs for the naming convention. To get a list of user accounts on a system Windows Management Instrumentation Command (WMIC) can be used: wmic useraccount get name,SID.

Files that begin with $R followed by a random string contain the true file contents of the recycled file.

Files that begin with $I and end in the same string as the $R file counterpart contain the metadata for that specific file, such as the original filename, path, size, and timestamp of when the file was deleted.

If the user has emptied the Recycle Bin, we lose this artifact and cannot analyze it. Instead, we would need to carve these files from a disk image.

Thumbnail Cache, a feature introduced in Windows operating systems starting with Windows Vista, enhances the user experience by caching thumbnail images of files. This functionality, when enabled, speeds up and makes loading these images more efficient in various views, such as File Explorer, by generating preview images or thumbnails for various multimedia files.

This artifact can provide evidence of the presence of files even if they have been deleted.