Transfer of files/folders to USB - limitations of forensics
I tried to find similar topics to this discussion and only got so far as this link
It didn't provide much answers to my question so I am posting a new discussion piece.
I would like to know if I were to copy a folder and/or file from a MacBook onto a USB key is there a way in which forensics could find out (i) the date of the transfer, (ii) the size of the file and/or folder, (iii) contents of the file and/or folder. Here's the challenge, we have to assume the following (i) the files and/or folders were never opened during the transfer, (ii) the MacBook audit log settings remain on default, (iii) no surveillance technology / software was installed (e.g. keylogging) and, (iv) the timeline goes back to a 1 month since the date of transfer.
I wouldn't say Macs are my area of expertise (or favourite thing), therefore willing to be corrected, but I don't believe that sort of thing is logged (certainly not in the normal/default state).
I understand the performance reasons for not tracking all activity but it would be rather nice if MS/Apple implemented logging of copying to external media by default. Would make investigations a lot easier 😉
Unified log on macs will provide some good detail around USB usage, maybe not to the extent you're looking for but likely will answer some of your questions. Biggest pain is parsing through it because it can get big.
Here's the challenge, we have to assume the following (i) the files and/or folders were never opened during the transfer,
I'm not clear as to how you'd open the files during the transfer…perhaps you meant to say "after" the transfer?
(ii) the MacBook audit log settings remain on default,
Probably a good bet.
(iii) no surveillance technology / software was installed (e.g. keylogging) and,
I'm unclear as to the benefit provided by keylogging when something is dragged and dropped. If the files are copied/moved via the command line, perhaps…