±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 4 Overall: 36595
New Yesterday: 5 Visitors: 102

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

Any way to detect files copied from USB to USB

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
 
  

cybertend
Newbie
 

Any way to detect files copied from USB to USB

Post Posted: Feb 14, 20 18:09

Hi all, this is a project for IP theft.
I have a windows 10 /w bitlocker encrypting the drive and a USB drive (FAT32) that I am performing analysis on now.
I took a logical image of the Win10 laptop /w FTK as I dont have the key to unencrypt.
I also did a physical drive(full) image of the USB.

Through investigating .lnk and other data it is very obvious the subject moved a large amount of data from the corporate network drive down to his laptop then to the USB drive.

The question that came back from legal...Is there any way to tell if the USB drive containing the IP data was copied off to another system/USB drive not connected to the laptop under investigation.

The only way that I would be aware of is if the subject actually opened the files on the original USB and thus changing the "access-time" date and timestamp. A straight copy from one USB to another USB on an entirely different computer we dont have in our possession would not change anything on the original USB to indicate such correct?

Additionally, I did see two more USB drives enumerate on the day the subject copied the data off his laptop to the USB. These were two USB's that the subjects laptop had not previously seen.

I do not see any .lnk files, shellback or other that indicate any activity to these two USB's, not to say I am not missing something.  
 
  

Bunnysniper
Senior Member
 

Re: Any way to detect files copied from USB to USB

Post Posted: Feb 15, 20 12:06

- cybertend
Is there any way to tell if the USB drive containing the IP data was copied off to another system/USB drive not connected to the laptop under investigation.


No, sorry. Unless you find one of the currently unknown USB drives, you cant prove that.
And regarding the two USB devices you have seen: sure it is a drive? Couldnt it be some kind of accessoires like mouse, keyboard or USB headset? If you dont have any lnk files from these 2 devices, the copy process could have been started via command line: xcopy.exe for example.

regards, Robin
_________________
--
All opinions are mine and are not necessarily the opinions of my employer. 
 
  

keydet89
Senior Member
 

Re: Any way to detect files copied from USB to USB

Post Posted: Feb 15, 20 15:33

- cybertend
Hi all, this is a project for IP theft.
I have a windows 10 /w bitlocker encrypting the drive and a USB drive (FAT32) that I am performing analysis on now.
I took a logical image of the Win10 laptop /w FTK as I dont have the key to unencrypt.
I also did a physical drive(full) image of the USB.

Through investigating .lnk and other data it is very obvious the subject moved a large amount of data from the corporate network drive down to his laptop then to the USB drive.


Where were the LNK files you found? On which device, within which image?

I ask, because you'd stated that the laptop image is encrypted, and when I open a file on a USB device connected to my laptop, the LNK file associated with that action appears on my laptop.

As such, with the only device image you have that is not encrypted being the image of the USB device, I'm not clear as to how an LNK file on the USB device would demonstrated what you stated above.

- cybertend

The question that came back from legal...Is there any way to tell if the USB drive containing the IP data was copied off to another system/USB drive not connected to the laptop under investigation.


...

- cybertend
The only way that I would be aware of is if the subject actually opened the files on the original USB and thus changing the "access-time" date and timestamp. A straight copy from one USB to another USB on an entirely different computer we dont have in our possession would not change anything on the original USB to indicate such correct?


Are you sure that opening the file on the USB device is the _only_ action that would make that modification?

- cybertend
Additionally, I did see two more USB drives enumerate on the day the subject copied the data off his laptop to the USB. These were two USB's that the subjects laptop had not previously seen.


Which data source(s) are you using to identify the enumeration of the two USB drives?

- cybertend
I do not see any .lnk files, shellback or other that indicate any activity to these two USB's, not to say I am not missing something.


Given that the Win10 laptop image is, in your words, encrypted, I'm not sure from where you're getting your data, so I feel as if there's something that's not been shared.  
 
  

cybertend
Newbie
 

Re: Any way to detect files copied from USB to USB

Post Posted: Feb 15, 20 17:43

Where were the LNK files you found? On which device, within which image?

I ask, because you'd stated that the laptop image is encrypted, and when I open a file on a USB device connected to my laptop, the LNK file associated with that action appears on my laptop.

As such, with the only device image you have that is not encrypted being the image of the USB device, I'm not clear as to how an LNK file on the USB device would demonstrated what you stated above.


Re
So to clarify, the Windows 10 drive is encrypted. However, I have the local Administrator account for the laptop and thus was able to get a good logical copy. Ideally I would un-encrypt the device but, alas, I dont have the key.
the .lnk files, shellback and jumplists come from the logical image...recent documents.

Are you sure that opening the file on the USB device is the _only_ action that would make that modification?


Re
Well, there are other things that could modify dates/times for files, however I am fairly sure that a copy action does not modify any date/time stamps of the files. But this is why I am posting here as I was hoping to be enlightened as to something I may be missing that would indicate a copy had been made.

Which data source(s) are you using to identify the enumeration of the two USB drives?


Re
The Windows 10 logical image I was able to get after logging into the Windows 10 box with Administrator rights.


Given that the Win10 laptop image is, in your words, encrypted, I'm not sure from where you're getting your data, so I feel as if there's something that's not been shared.

Re
Yes apologies, I should have explained a bit further on obtaining the logical image of the Windows 10 laptop logged in as Administrator.

No, sorry. Unless you find one of the currently unknown USB drives, you cant prove that.
And regarding the two USB devices you have seen: sure it is a drive? Couldnt it be some kind of accessoires like mouse, keyboard or USB headset? If you dont have any lnk files from these 2 devices, the copy process could have been started via command line: xcopy.exe for example.

regards, Robin


Re
Thanks Robin and agree, the USB devices certainly could be accessories.  
 
  

Cults14
Senior Member
 

Re: Any way to detect files copied from USB to USB

Post Posted: Feb 17, 20 16:56

- cybertend
Through investigating .lnk and other data it is very obvious the subject moved a large amount of data from the corporate network drive down to his laptop then to the USB drive.


How can you tell solely from LNK that data was moved? To me, moved implies not leaving the original in place - do you mean copied?

What do you mean by "a large amount of data"? "Lots" of files? Or a few very big ones? IP theft is my main focus, I've not seen many systems (maybe even any) where there are lots of LNK files that point to external media - a good few, sure, and it may suggest that a large amount of data was moved but it's not enough to make it "very obvious".

I'm not denying that there are artefacts (e.g. Shellbags) which could support your clainm, but personally I don't see LNK files on their own being sufficient evidence except in the case of specific files.

HTH

Peter  
 
  

watcher
Senior Member
 

Re: Any way to detect files copied from USB to USB

Post Posted: Feb 17, 20 23:24

- cybertend
... Re
So to clarify, the Windows 10 drive is encrypted. However, I have the local Administrator account for the laptop and thus was able to get a good logical copy. Ideally I would un-encrypt the device but, alas, I dont have the key....


Can't you obtain the recovery key via "manage-bde" ?  
 
  

cybertend
Newbie
 

Re: Any way to detect files copied from USB to USB

Post Posted: Feb 18, 20 01:37

How can you tell solely from LNK that data was moved? To me, moved implies not leaving the original in place - do you mean copied?

What do you mean by "a large amount of data"? "Lots" of files? Or a few very big ones? IP theft is my main focus, I've not seen many systems (maybe even any) where there are lots of LNK files that point to external media - a good few, sure, and it may suggest that a large amount of data was moved but it's not enough to make it "very obvious".

I'm not denying that there are artefacts (e.g. Shellbags) which could support your clainm, but personally I don't see LNK files on their own being sufficient evidence except in the case of specific files.

HTH

Peter


RE:
Thanks Peter for the response, I did mean copy not move...big difference. The large amount of data was ~2,000 files, smaller files around policies/procedures/customer lists/and a few patent pending files as well.

I have two sources to support the claim of this file copy. From the laptop when the subject initially copied these files to the laptop desktop from a network mapped drive. This was ~23rd of December. On January 2nd, subjects last day, these same files were copied to a verbatim USB stick. My two sources on this is 1) LNK files were created, agree I dont always see this so shellbag helps. 2) The company has DLP deployed on all the laptops, when the subject copied all the files to the verbatim, a DLP alarm triggered and IT sent an email to him(he had already left), and my CISO contact. We got the verbatim back and, after an image of the USB stick, verified the files contained on the verbatim were the ones in fact that IT had raised a concern from the DLP alarm.

Now, that same day, 3 new USB devices were inserted for the first time. Windows marked these as storage devices. I am not showing any files (LNK, Shellbag or otherwise) were copied to these three devices. One was a brand name sandisk. The other two were Alcor Micro corp. and Chipsbank Microelectronics Co., Ltd (windows listed a generic flash disk.

What is raising the hairs on the back of my neck is this is a pharma company Swiss based, the subject is going to work for a Chinese competitor. Subject traveled to China Sept 1 for the purposes of an on site interview. Subject did take the laptop in question to China. I dont show any activity besides the subject fired up a netflix movie on a date/time that would put the subject on an airplane back to the USA.




Can't you obtain the recovery key via "manage-bde" ?

RE:
Thanks watcher, I will give that a shot.  
 

Page 1 of 1