Files & Reports

Files & Reports

per Fernando Souza,
Number of replies: 11

Hi,

I was given a task to investigate a suspicious behaviour of a student. Apparently he shared files with someone or received files from someone, which were not supposed to be shared. Is there a way to discover if he received (or sent) any files? Is there a way to look at each enroled user's private files to see if the file is there? 

Also, my boss told me he accidentaly deleted a discussion forum before performing a backup. The suspicious user mentioned above, also behaved badly in the forum. Is there a way to recover this forum or is it permanently gone?

Last but not least, my boss asked me to download a report with the user's grades and quiz attempts. I couldn't find any. Is there a way for the user himself delete his tracks?


Moodle version: 3.9.6

Average of ratings  -
In reply to Fernando Souza

Re: Files & Reports

per Rick Jerz,
Avatar Particularly helpful Moodlers Avatar Testers
I see 3 questions.

1) Moodle keeps track of clicks, and you should be able to search the database for a particular user, clicking on an assignment, and (I believe) what this user clicked on. This, of course, assumes that the file was in Moodle. I don't allow "student files" to be uploaded in my Moodle, so I am not sure what Moodle records about private files.

2) I am not sure if the moodle database keeps deleted forum posts. Of course, regular posts are in the database. Worst case is that you might need to restore a backup of you Moodle and probe.

3) You can go into a Quiz, see students grades and attempts, and download some of this to a file. This is on a quiz by quiz basis. You can query the database for a more general summary. If you want to see a specific student, I would use Moodle's built-in "Complete report."

Doing this kind of investigation involves querying the Moodle database. You need to use SQL.
Average of ratings  -
In reply to Rick Jerz

Re: Files & Reports

per Fernando Souza,
Hi Rick,
Thanks for the reply.

I know I can go to a quiz to see user's grades and attempts. However, it doesn't show me anything about said user. My boss is sure that the student did the quizzes. Maybe my boss is mistaken, I don't know. Do you know if there is a way for a user to delete his attempts and delete all his tarces in a course? I suppose if he did that, it would be registred in the logs, right? But again, there is nothing in the logs.

I know very little about databases, but I'll check it out and see if I can find anything there.

There are no backups from that period, unfortunately.
Average of ratings  -
In reply to Fernando Souza

Re: Files & Reports

per Mark Johnson,
Avatar Core developers Avatar Particularly helpful Moodlers Avatar Peer reviewers Avatar Plugin developers

Hi Nando! Unless you believe the user has compomised the database, if there are no events in the logs showing that they attempted the quiz, they did not attempt the quiz. Deleting a quiz attempt would delete the data for the attempt, and create a log entry for the deletion, but it would not remove the log entries for the intial attempt.

Average of ratings  -
In reply to Mark Johnson

Re: Files & Reports

per Fernando Souza,
Hi Mark, you always appear to help me. I appreciate that, mate! Btw, how are you doing?

Anyway, I now know more info about the issue, apparently the user is under investigation for academic misconduct. Apparently there is a '.doc word file' that has been posted by only god knows who in a forum section which would prove this. The thing is my boss said he deleted the forum and that's why the file disappeared. This is very strange, I know...

Is there a way that this file might still be accessible?
Average of ratings  -
In reply to Fernando Souza

Re: Files & Reports

per Rick Jerz,
Avatar Particularly helpful Moodlers Avatar Testers
As I recall, uploaded files are logged in Moodle's logstore table. And deletions are also logged. To get a sense of what this person has done, use the following type of SQL query. This is a starting point.

select * from mdl_logstore_standard_log
where userid = (the user's id goes here)
order by timecreated desc
Average of ratings  -
In reply to Fernando Souza

Re: Files & Reports

per Ken Task,
Avatar Particularly helpful Moodlers

Depending upon version of Moodle and settings ... and how hard you want to work at recovery ...

There is recyclebin ... in admin setting for recyclebin set to show all the time.  Go ot course where forum used.  See if the forum posting is in recyclebin.  Issue with that ... don't think one has the option to download, only restore.   Once restored not sure one can hide that posting in the forum.   But once restored, attachment should be there (maybe).   That one might be able to download, and once downloaded, the posting deleted again.

The other ... trashdir in moodledata.

You'd have to query the DB mdl_files table and look for all files that end with .docx (or .doc) to get where it might be located (trashdir) ... the files contenthash value.   The contenthash value is both where the file is in the moodle file system ... normally moodledata/filedir/xx/yy/contenthashvalue ... (this case trashdir) and it's name in the file system ... which is the contenthash value.

Once one has that info, a command line find for 'contenthash' value in either moodledata/filedir or moodledata/trashdir will show location of the file and one can copy that file out to someother directory and change it's name on the fly.

Recyclebin default is I think 3 days ... after that, file is moved to Trash.  Trash is normally emptied after 4 days.   So depending upon when this deletion took place, you might still have time to recover.

A raw command line find in moodledata/trashdir/* for file type - think it would show as 'Indian' something - one could find all .doc or .docx files in there, copy them out ... compare them all ... to find the one.

cd /path/to/moodledata/trashdir/

Example commands:

[root@moodle trashdir]# ls -1 ./*/*/*

Would render:

./05/68/0568b6afd049daf3326bbbaa9584bc741b83b499
./08/e0/08e0f99fd6dc25585884bc9a767cc5b3dcb64dec
./15/f6/15f6ca0e74097ed623c3678c17de9b0f38b210da
./1c/15/1c15650f3a392bdb31bbbbb699b84776cccb8c89
./2a/d5/2ad59119cc2780a58ad07f1b9a80911e7eee6475
./2d/a4/2da4b683281f505884046a8390b86cd9c4bc3abf
./2e/da/2edaeeae81151ccb2e9a3c50c9a0583fb01511bf
./49/3c/493cc5de2ea074975d409469b6e0536ddace5e19
./61/96/619612768f5392fc3a8ab772656d8e5002dea71d
./62/69/62698ef27c845e5289f655d7f41b87f38928dd33
./69/48/6948fdd8963bca583a5864062de896a85b9a545c
./6b/4f/6b4fa8952f094322d8aa90e41d9564e2e9bbd26c
./7d/03/7d03d38e6cc326a3e1e8c4894f14edba4a5a247c
./a4/c1/a4c1f7561bd4c690afa0f33eb900c8868fe8cbbc
./af/5d/af5d1cc12f8ceb1646acd8735a7a2ab6fe49973f
./be/5d/be5d8179010fb09912debeb826b9141102279772
./e1/a2/e1a21e3f1ba1e3fde3c30bd09ec6d9af58afaa5c
./ed/00/ed00c2ba2f5680d603e160823a291b4b6f361a88
./f9/42/f94275732bfb79c38aa6066cfc3f665fb8acdc39
./fd/f6/fdf68ca74d3e99b8d462a49304a6e1dfcf012992

Then, from same location a file -b command for each of above:

file -b ./fd/f6/fdf68ca74d3e99b8d462a49304a6e1dfcf012992

In this example, renders:

PNG image data, 827 x 1069, 8-bit/color RGB, non-interlaced

You'd be looking for file mime types for a Word doc or docx.

Good luck!

'SoS', Ken



Average of ratings  -
In reply to Fernando Souza

Re: Files & Reports

per Visvanath Ratnaweera,
Avatar Particularly helpful Moodlers Avatar Translators
> Apparently there is a '.doc word file' that has been posted by only god knows who in a forum section which would prove this. The thing is my boss said he deleted the forum and that's why the file disappeared.

Your boss has destroyed evidence and asks you for an inquiry?

> This is very strange, I know...

Indeed!

Seriously, with vague information like "apparently the user is under investigation for academic misconduct" in a forum, you won't converge to any conclusion. If it is a serious matter, your boss must throw matching resources, like giving contract to an IT forensic specialist or alarm the campus marshals.

P.S. This discussion belongs to the forum dedicated to Security and privacy.
Average of ratings  -
In reply to Visvanath Ratnaweera

Re: Files & Reports

per Rick Jerz,
Avatar Particularly helpful Moodlers Avatar Testers
Good point (Your boss has destroyed evidence and asks you for an inquiry?), maybe so, but maybe not.

Perhaps what happened is that a person made a post and attached a file along with the post. An example of this might be someone who posts "I found the photo with xxx naked. Here it is." If this is the scenario, it keeps us focused on "Forums." So Visvanath, you might have helped clarify the situation.

Maybe Fernando's boss thought that the fastest way to solve the problem was to delete the post (which then also deleted the file.) The boss didn't realize he/she was deleting the evidence, and now Fernando is given the task to retrieve the post and the file. Maybe Fernando can confirm this, or provide more detail.

If the person made the post, but uploaded the file into some other generally acceptable place where files can be uploaded (I don't know where this place could be) then the problem might include a Forum and some other Moodle component.

If my idea that this problem occurred in only the forum, then the logstore table search could be filtered a little more, and one might want to include what the boss did.

select * from mdl_logstore_standard_log
where userid in (the user's id goes here, the bosses id goes here)
and   component = "mod_forum"
order by timecreated desc

I think the logstore table includes enough information to filter on the topic, but I don't recall which field this is in the logstore table.
Average of ratings  -
In reply to Rick Jerz

Re: Files & Reports

per Fernando Souza,
Wow! I had no idea this post would get that many replies! Thanks everybody!

Unfortunately I have very little information about the case. I don't even know what kind of misconduct it was. I'm based in Rio, the boss is in London and the situation happened there.

Ken, thanks for showing me the steps, I don't have enough databse knowledge to do that, but I'll try. Also, the issue happened months ago, still in 2020, and it's only escalating now. I have very little hope that I can recover this file

I'll now going to check all the logs from the boss account to see his steps in the mentioned period to try to see what he deleted exactly.
Average of ratings  -
In reply to Fernando Souza

Re: Files & Reports

per Ken Task,
Avatar Particularly helpful Moodlers

2020 event ... then too far past for anything I mentioned/described - unless one had a backup of moodledata from around the time (specific) of this event.

Something else ... have a couple of 'stories' as to how an IT person, not directly involved, could still be drawn into an official investigation ... one by Sheriff's Dept. investigating a student murdering his parents.   Others with employees of same entity where I was employed in relation to use of 'corp' EMail ... I was the email server administrator.

Might be wise to 'cya'!   What is your entities official (HR department/Admin, etc) concerning privacy etc.?   That's a question for your consideration, not for discussion here.

'SoS', Ken

Average of ratings  -