August 29, 2007

Investigating File Deletion from Windows File Servers - Part I

I have found myself in this situation a few times now: some critical files disappear from a file server and I am tasked to find out how it happened.

Sometimes I was able to solve the mistery, but other times I couldn't. The most important factor is the information available for me to investigate. Give me a full network trace of the server's traffic and lots of auditing information in the system's logs and I'll tell you that the chances of success are pretty high. Take away any of these elements and things become much more difficult.

Possible causes for important files 'magically' disappearing from a Windows file server are almost infinite. Just to name a few, it could be a bug in the operating system (I haven't seen this kind of bug in many years, but it's certainly possible), malicious software running in the server (this I've seen much more often), or a malicious system administrator or user error (even more often).

Yet another possibility is that someone with valid authentication credentials (e.g. username and password) accessed the folder containing the files through the network using the normal Windows file sharing protocol (SMB/CIFS) and simply deleted them, intentionally or unintentionally. This is the case that I'll be analyzing in detail in this series of articles.

So, how far could you go into finding out who, when, how, and from where removed the files if all you had was a network trace? And if you didn't have a network trace but you had system logs? Do you want to try?

Let us start with the network trace. Here you can find a network capture file, in pcap format (tcpdump, wireshark, etc.) obtained in a lab environment simulating the deletion of some files from a file server. The lab network was just a single Ethernet segment with two systems: a Windows XP (client) and a Windows Server 2003 (server).

If you want to play around with it, (just for fun and the learning experience, no prizes this time, sorry) you can try to find the answers to the following questions:

Q1 - How many files were deleted?
Q2 - When?
Q3 - How?
Q4 - Who did it?
Q5 - From where?

In the next article in this series I'll be showing how to obtain the answers to these questions from the network capture file provided. So, stay tuned!

Labels: ,

2 Comments:

Anonymous Anonymous said...

Hi,
David you mention that in this case you'll analyze the deletion of files by cifs/smb.
That means that the only deleted files were deleted by smb/cifs, or we should pay attention to other protocols for the deletion?
Thanks

10:50 PM  
Blogger David Perez said...

Hi Isaac,

Yes, in this case files were deleted through SMB only.

BTW, I expect to post the next article in the series by next week.

David.

11:07 PM  

Post a Comment

<< Home