Hi All,
I would like to know (doubt if there is any) if there is any way to find out what files was copied from a hard drive to what external media.
I would like to identify for example that files a, b and c were copied from hard drive A to external media/drive B.
We are looking into a case where an employee copied files to external media and we would like to identify which files.
OS > Windows XP
Any help will be appreciated
Thanx
Francois
What you're able to show depends on what you have…
First off, what is this "external media"? Is it a USB-connected device of some kind? You may be able to show, definitively, that the device was connected to the system.
If you have the external media, hash the files on that media, as well as the corresponding ones on the hard drive. If the hashes come out identical, then they're essentially the same files. You should be able to prove, at that point, that they were created on the system or resided on the system, and then were placed on the external media.
HTH,
H. Carvey
"Windows Forensics and Incident Recovery"
http//
http//windowsir.blogspot.com
The date and time stamp records of the created file under consideration(if you know the file)on external media may help you by analysing it.
or as suggested by H. Carvey you may go for hash matching, but if the file under consideration(after copying) is edited then hash may not match..
Thanks Sachin & H for the quick reply,
What I forgot to mention is that They (suspects) have the files that was copied on the external media and we do not know what it was copied to.
The only thing we have is the files that was copied somewhere else.
Hope this make sense and let know if you want me to explain more.
Francois
<i>What I forgot to mention is that They (suspects) have the files that was copied on the external media and we do not know what it was copied to.</i>
Okay, this is starting to make less and less sense.
What, exactly, *DO* you have? An image of the suspect drive? You evidently don't have the external media, and no idea what type of "external media" that may be.
Now, I'm completely baffled at what makes you think that external media was involved at all.
I will suggest this, however…in the absence of any solid information about what you have available to examine, I'd suggest looking at shortcuts or .lnk files.
H. Carvey
"Windows Forensics and Incident Recovery"
http//
http//windowsir.blogspot.com
We only have the suspecs drive H.
Sorry for the confusion
Francois
> We only have the suspecs drive H.
Sometimes it's tough to provide information when the original poster (OP) doesn't provide enough information. For example, what makes you believe that external media of *any* kind at all was used?
In an effort to address your question, I'd suggest (again) checking shortcut files. I'd also check for the presence of the GMail Drive Shell Extension, particularly if you know that the suspect has a GMail account. I'd check the contents of the Prefetch folder for evidence of alternate (as in, not to the local system) file paths.
Depending upon the type of information you're referring to (images, Word documents, Excel spreadsheets, etc.), I'd check MRU lists within the Registry, in case the the suspect opened the file in the appropriate application and clicked "Save As…" from the file menu.
I hope you're now able to see my point…without more information, the possibilities could go on and on and on. I'm pretty sure that there're very few people on this (or any other list) who'd be willing to respond in such an encyclopedic manner, when it may very well be all for naught.
So…help us help you. Most of us here are very willing to help, myself included.
H. Carvey
"Windows Forensics and Incident Recovery"
windowsir.blogspot.com
FrancoisSeegers,
You may want to try using a Registry Viewer. I think the path you want is "windows/system32/config/system/controlset/Enum/ControlSetxxx/"
This should show the various types of mounted devices for each control set and potentially give you some information on devices that may have been attached intern giving you some reference to search for.
techmerlin,
You may want to try using a Registry Viewer. I think the path you want is "windows/system32/config/system/controlset/Enum/ControlSetxxx/"
What are you trying to point him toward? That's not an file path that I recognize…what is it?
H. Carvey
"Windows Forensics and Incident Recovery"
windowsir.blogspot.com
Thanks Harlan,
Sorry folks I was working on to may things today. Where you want to look in the registry would be
HKLM/System/ControlSetxxx/Enum/
Under that the ones you may want to pay attention to are things like USB or USBSTOR and even IDE if perhaps a user had an internal drive that is no longer present.