Audit on Windows Fi...
 
Notifications
Clear all

Audit on Windows Files  

Page 1 / 2
  RSS
FrancoisSeegers
(@francoisseegers)
New Member

Hi All,

I would like to know (doubt if there is any) if there is any way to find out what files was copied from a hard drive to what external media.

I would like to identify for example that files a, b and c were copied from hard drive A to external media/drive B.

We are looking into a case where an employee copied files to external media and we would like to identify which files.

OS > Windows XP

Any help will be appreciated

Thanx
Francois

Quote
Posted : 03/11/2005 3:09 pm
keydet89
(@keydet89)
Community Legend

What you're able to show depends on what you have…

First off, what is this "external media"? Is it a USB-connected device of some kind? You may be able to show, definitively, that the device was connected to the system.

If you have the external media, hash the files on that media, as well as the corresponding ones on the hard drive. If the hashes come out identical, then they're essentially the same files. You should be able to prove, at that point, that they were created on the system or resided on the system, and then were placed on the external media.

HTH,

H. Carvey
"Windows Forensics and Incident Recovery"
http//www.windows-ir.com
http//windowsir.blogspot.com

ReplyQuote
Posted : 03/11/2005 4:10 pm
sachin
(@sachin)
Junior Member

The date and time stamp records of the created file under consideration(if you know the file)on external media may help you by analysing it.
or as suggested by H. Carvey you may go for hash matching, but if the file under consideration(after copying) is edited then hash may not match..

ReplyQuote
Posted : 03/11/2005 4:47 pm
FrancoisSeegers
(@francoisseegers)
New Member

Thanks Sachin & H for the quick reply,

What I forgot to mention is that They (suspects) have the files that was copied on the external media and we do not know what it was copied to.

The only thing we have is the files that was copied somewhere else.

Hope this make sense and let know if you want me to explain more.

Francois

ReplyQuote
Posted : 03/11/2005 5:35 pm
keydet89
(@keydet89)
Community Legend

What I forgot to mention is that They (suspects) have the files that was copied on the external media and we do not know what it was copied to.

Okay, this is starting to make less and less sense.

What, exactly, *DO* you have? An image of the suspect drive? You evidently don't have the external media, and no idea what type of "external media" that may be.

Now, I'm completely baffled at what makes you think that external media was involved at all.

I will suggest this, however…in the absence of any solid information about what you have available to examine, I'd suggest looking at shortcuts or .lnk files.

H. Carvey
"Windows Forensics and Incident Recovery"
http//www.windows-ir.com
http//windowsir.blogspot.com

ReplyQuote
Posted : 03/11/2005 6:27 pm
FrancoisSeegers
(@francoisseegers)
New Member

We only have the suspecs drive H.

Sorry for the confusion

Francois

ReplyQuote
Posted : 03/11/2005 6:49 pm
keydet89
(@keydet89)
Community Legend

> We only have the suspecs drive H.

Sometimes it's tough to provide information when the original poster (OP) doesn't provide enough information. For example, what makes you believe that external media of *any* kind at all was used?

In an effort to address your question, I'd suggest (again) checking shortcut files. I'd also check for the presence of the GMail Drive Shell Extension, particularly if you know that the suspect has a GMail account. I'd check the contents of the Prefetch folder for evidence of alternate (as in, not to the local system) file paths.

Depending upon the type of information you're referring to (images, Word documents, Excel spreadsheets, etc.), I'd check MRU lists within the Registry, in case the the suspect opened the file in the appropriate application and clicked "Save As…" from the file menu.

I hope you're now able to see my point…without more information, the possibilities could go on and on and on. I'm pretty sure that there're very few people on this (or any other list) who'd be willing to respond in such an encyclopedic manner, when it may very well be all for naught.

So…help us help you. Most of us here are very willing to help, myself included.

H. Carvey
"Windows Forensics and Incident Recovery"
www.windows-ir.com
windowsir.blogspot.com

ReplyQuote
Posted : 03/11/2005 7:24 pm
techmerlin
(@techmerlin)
Member

FrancoisSeegers,

You may want to try using a Registry Viewer. I think the path you want is "windows/system32/config/system/controlset/Enum/ControlSetxxx/"

This should show the various types of mounted devices for each control set and potentially give you some information on devices that may have been attached intern giving you some reference to search for.

ReplyQuote
Posted : 03/11/2005 8:24 pm
keydet89
(@keydet89)
Community Legend

techmerlin,

You may want to try using a Registry Viewer. I think the path you want is "windows/system32/config/system/controlset/Enum/ControlSetxxx/"

What are you trying to point him toward? That's not an file path that I recognize…what is it?

H. Carvey
"Windows Forensics and Incident Recovery"
www.windows-ir.com
windowsir.blogspot.com

ReplyQuote
Posted : 03/11/2005 11:22 pm
techmerlin
(@techmerlin)
Member

Thanks Harlan,

Sorry folks I was working on to may things today. Where you want to look in the registry would be

HKLM/System/ControlSetxxx/Enum/

Under that the ones you may want to pay attention to are things like USB or USBSTOR and even IDE if perhaps a user had an internal drive that is no longer present.

ReplyQuote
Posted : 04/11/2005 6:49 am
FrancoisSeegers
(@francoisseegers)
New Member

Hi All

Thanx 4 all the replies so far. I think a bit more information should be given. We have 5 programmers who alledgedly stole the companies source code consisting of 20 000 files. this was apparantly done 2 months ago, before they left to start their own firm. we have a witness but would like to validate this. There is no logging on the server on who accessed/copied or altered anaything. and only have backups for the past 15 days. We only have their computers after its been cleaned out, deleted by them before they left. We hashed all the files and matched it with their laptops and found 15 000 of the files. Problem is they did work with and on the code and we need concrete proof that they copied it out to CD or flash drive before we can move in on the new business. Hope it makes more sence

ReplyQuote
Posted : 04/11/2005 11:43 am
keydet89
(@keydet89)
Community Legend

techmerlin,

Could you do us all a favor? Could you write up something definitive on the contents of the HKLM/System/ControlSetxxx/Enum/IDE key? In particular, I think it would be useful if you could describe how to identify currently active devices on the system from the contents of this key, as well as how to locate devices that had been installed but since removed.

For example, under that key on my current system, I have 8 keys that point to CDs…NEC, Phillips, Samsung, etc. However, my system only has one CD (NEC), and has never had another. My system was NOT installed from a ghost image. If my system were imaged, how would I determine which device was present at the time of the imaging? How could I determne which devices had been installed, and then removed?

FrancoisSeegers,

That's much more clear now, with regards to what you're looking for, and what you have available to you. Since you've stated that you're not sure of the method used to abscond with the files in question, about all you can do is perform a methodological search. List out the possibilities, and rule them out one at a time, thoroughly, documenting all that you do. Remember, the steps that you take should be reproduceable.

You'll need to check the Registry for installed devices (see above). Also check for installed software components. This may give you a clue as to which CD/DVD-writing software was used, if any.

The UserAssist key may provide you with some clues as to programs that were run.

As the system is XP, check the Prefetch directory for evidence of programs launched.

Check shortcuts/.lnk files for evidence of the external storage devices.

Don't rule out file transfers…

HTH,

H. Carvey
"Windows Forensics and Incident Recovery"
www.windows-ir.com
windowsir.blogspot.com

ReplyQuote
Posted : 04/11/2005 5:25 pm
gmarshall139
(@gmarshall139)
Active Member

For example, under that key on my current system, I have 8 keys that point to CDs…NEC, Phillips, Samsung, etc. However, my system only has one CD (NEC), and has never had another. My system was NOT installed from a ghost image. If my system were imaged, how would I determine which device was present at the time of the imaging? How could I determne which devices had been installed, and then removed?

I agree with Harlan having found the same on my own notebook which I put together from scratch. It's still a good place to look though, just keep in mind that it's not (at least in my experience), definitive.

ReplyQuote
Posted : 04/11/2005 7:27 pm
techmerlin
(@techmerlin)
Member

Harlan and Greg,

these other devices you see, what are they listed as under IDE (Disk, CDRom) it should be the first part of the name
(e.g. CdRomQSI_CDRW/DVD_SBW-241)

Thanks

ReplyQuote
Posted : 07/11/2005 6:53 am
keydet89
(@keydet89)
Community Legend

techmerlin,

Could you do us all a favor? Could you write up something definitive on the contents of the HKLM/System/ControlSetxxx/Enum/IDE key? In particular, I think it would be useful if you could describe how to identify currently active devices on the system from the contents of this key, as well as how to locate devices that had been installed but since removed.

For example, under that key on my current system, I have 8 keys that point to CDs…NEC, Phillips, Samsung, etc. Each of the eight key names begins with "CdRom". However, my system only has one CD (NEC), and has never had another installed since it's been in my possession. My system was NOT installed from a ghost image. If my system were imaged, how would I determine which device was present at the time of the imaging? How could I determne which devices had been installed, and then removed?

H. Carvey
"Windows Forensics and Incident Recovery"
www.windows-ir.com
windowsir.blogspot.com

ReplyQuote
Posted : 07/11/2005 6:49 pm
Page 1 / 2
Share: