Join Us!

Transfer of files/f...
 
Notifications
Clear all

Transfer of files/folders to USB - limitations of forensics  

  RSS
theflyingduck
(@theflyingduck)
New Member

I tried to find similar topics to this discussion and only got so far as this link

www.forensicfocus.com/...c/t=10587/

It didn't provide much answers to my question so I am posting a new discussion piece.

I would like to know if I were to copy a folder and/or file from a MacBook onto a USB key is there a way in which forensics could find out (i) the date of the transfer, (ii) the size of the file and/or folder, (iii) contents of the file and/or folder. Here's the challenge, we have to assume the following (i) the files and/or folders were never opened during the transfer, (ii) the MacBook audit log settings remain on default, (iii) no surveillance technology / software was installed (e.g. keylogging) and, (iv) the timeline goes back to a 1 month since the date of transfer.
SterlinkA123

Quote
Posted : 04/02/2020 4:22 pm
jaclaz
(@jaclaz)
Community Legend

The link you posted is not working, here it is corrected
https://www.forensicfocus.com/Forums/viewtopic/t=10587/

jaclaz

ReplyQuote
Posted : 04/02/2020 4:40 pm
Rich2005
(@rich2005)
Active Member

I wouldn't say Macs are my area of expertise (or favourite thing), therefore willing to be corrected, but I don't believe that sort of thing is logged (certainly not in the normal/default state).
I understand the performance reasons for not tracking all activity but it would be rather nice if MS/Apple implemented logging of copying to external media by default. Would make investigations a lot easier 😉

ReplyQuote
Posted : 04/02/2020 4:44 pm
mcman
(@mcman)
Active Member

Unified log on macs will provide some good detail around USB usage, maybe not to the extent you're looking for but likely will answer some of your questions. Biggest pain is parsing through it because it can get big.

Jamie

ReplyQuote
Posted : 04/02/2020 5:33 pm
keydet89
(@keydet89)
Community Legend

Here's the challenge, we have to assume the following (i) the files and/or folders were never opened during the transfer,

I'm not clear as to how you'd open the files during the transfer…perhaps you meant to say "after" the transfer?

(ii) the MacBook audit log settings remain on default,

Probably a good bet.

(iii) no surveillance technology / software was installed (e.g. keylogging) and,

I'm unclear as to the benefit provided by keylogging when something is dragged and dropped. If the files are copied/moved via the command line, perhaps…

ReplyQuote
Posted : 04/02/2020 7:29 pm
Share: