Audit on Windows Fi...
 
Notifications
Clear all

Audit on Windows Files  

Page 2 / 2
  RSS
Djazz
(@djazz)
New Member

FrancoisSeegers,

I think it will be very difficult to prove that they copied the data this way.
They needed the data for their work and their computers were cleaned.

The evidence you are looking for will be on the computers they are using right now. I don't know about South Africa. But you have a witness, they cleaned their computers and left together. In the Netherlands you would probaly have enough to get a court order en let a process server (if this is the correct word) make an image of their current computers.

grtz

ReplyQuote
Posted : 07/11/2005 11:46 pm
techmerlin
(@techmerlin)
Member

Harlan,

I have been swamped lately and not had time to sit down and do a few more tests on this. Up to this point the testing I have done has shown that key to contain the relevant devices that have been present (from the OS perspective) on that system.

I have seen where the OS has detected a device or used a different driver that the true hardware that is or has been in the system and registered the device as the device it BELIVES it is.

What can you tell me about your system, have you ever had a driver for the device other than the current one you are using now? Was your system build by you? Can you tell me without a doubt if it’s ever been in for repair / testing or warranty where perhaps another device could have been attached?

Thanks

ReplyQuote
Posted : 08/11/2005 7:14 pm
nickfx
(@nickfx)
Active Member

Hi chaps, I've been following this thread and although I've not had time to really test results I checked the 3 XP machines I'm running here and all 3 only show the devices I know have been attached in the HKLM/System/ControlSetxxx/Enum/USBSTOR key. One key entry was a mystery until I checked the docs on the system and it was referencing an internal usb port/driver.

I used this key recently to demonstrate that a USB hard drive had been attached to a system and so files could have been removed this way, however I am not confident to go any further than that at this stage.

If I get some time I'll have a real dig.

Nick

ReplyQuote
Posted : 09/11/2005 2:07 am
keydet89
(@keydet89)
Community Legend

techmerlin,

I have seen where the OS has detected a device or used a different driver that the true hardware that is or has been in the system and registered the device as the device it BELIVES it is.

Sorry, this doesn't really tell me much. Was this a newly-added device, or was it a device that was already in the system, but for some reason Windows decided to use a different driver?

…have you ever had a driver for the device other than the current one you are using now?

Had? As in just have available? Sorry, but your question makes no sense.

Was your system build by you?

No, it was built by Dell. As soon as it arrived, I formatted the drive, reinstalled the operating system, updated the drivers from the CDs, and then went out to the Dell site to see if there were any other updates.

Can you tell me without a doubt if it’s ever been in for repair / testing or warranty where perhaps another device could have been attached?

Yes, I can.

Sorry folks I was working on to may things today. Where you want to look in the registry would be

HKLM/System/ControlSetxxx/Enum/

Under that the ones you may want to pay attention to are things like USB or USBSTOR and even IDE if perhaps a user had an internal drive that is no longer present.

I'd ask you for specifics on what to look for under /Enum/IDE, but it seems that you're a bit swamped and don't have the time to respond in a more comprehensive manner. There is a lot of stuff under the /Enum/IDE key…and knowing what to look for is more important than just looking.

If someone needs to know what to look for, drop me an email.

Harlan

ReplyQuote
Posted : 12/11/2005 2:38 am
techmerlin
(@techmerlin)
Member

Harlan,

I am not sure your previous post had anything at all to do with the original post or was it more trying to pick fault taking bits and pieces from different posts.

I think everyone would like to see the answer to this, so why not enlighten us with your knowledge as it would appear you are testing everyone for an answer you claim to already have.

ReplyQuote
Posted : 12/11/2005 8:49 am
keydet89
(@keydet89)
Community Legend

techmerlin,

…was it more trying to pick fault…

You are too quick to judge, young padowan. I was answering your questions, as I felt it was discourteous not to do so.

…you are testing everyone for an answer you claim to already have.

Testing? Not hardly. I have no need to test. I am simply tired of posting encyclopedic information based on a good deal of time and research, testing, and verification, only to have others not do the same.

And I really don't think this forum is the place to be suggesting such things. Better that you take this sort of thing off list, don't you think?

Harlan

ReplyQuote
Posted : 12/11/2005 5:17 pm
techmerlin
(@techmerlin)
Member

keydet89

You are too quick to judge, young padowan. I was answering your questions, as I felt it was discourteous not to do so

Everyone has their own interpretation or 'opinion' if you will, thanks for outlining yours.

I can understand your statement about why you are not as open as some to share your information, I am not sure everyone here is out for that same purpose but I know many of us on the board take great interest in reading others insight on experience.

If you wish to share you insight on this I would enjoy reading it, if not..thanks for letting us know you have some insight.

Thanks

ReplyQuote
Posted : 12/11/2005 8:13 pm
Chris55728
(@chris55728)
Junior Member

All

I've done a little searching and come up with the following hits

http//support.microsoft.com/default.aspx?scid=kb;en-us;310592

http//www.codecomments.com/Microsoft_Device_Drivers_Development/message689200.html

http//www.windowsitlibrary.com/Content/368/05/1.html - This is page 1 of 3.

Hope the above shed a bit more light on things.

ReplyQuote
Posted : 14/11/2005 2:24 pm
keydet89
(@keydet89)
Community Legend

> support.microsoft.com/...-us;310592

Interesting KB article…especially considering that I've check 4 XP systems, 3 of which are XP Pro, and all of which are SP2+…and not one has a Registry key named "HKEY_LOCAL_MACHINE\Enum".

Harlan

ReplyQuote
Posted : 14/11/2005 5:31 pm
techmerlin
(@techmerlin)
Member

Hey all,

the registry key HKEY_LOCAL_MACHINE\Enum is a Win 95/98/ME reg key, have a look in the MSDN library here http//msdn.microsoft.com/library/default.asp?url=/library/en-us/install/hh/install/install-over_8f5ef1c3-94c3-48d5-8f9a-301b7f453cef.xml.asp this is a good read on this subject.

Thanks

ReplyQuote
Posted : 14/11/2005 8:09 pm
keydet89
(@keydet89)
Community Legend

Interesting. From the KB article itself

APPLIES TO
• Microsoft Windows XP Home Edition
• Microsoft Windows XP Professional Edition
• Microsoft Windows XP 64-Bit Edition

Harlan

ReplyQuote
Posted : 14/11/2005 11:11 pm
techmerlin
(@techmerlin)
Member

Harlan,

I agree, I am not sure who made the typo there but that is definatly a Win 98, 95 and ME reg key. XP uses HKLM/System/ControlSetxxx/Enum/ and I also have checked 4 differnt XP machines today (SP1, SP2) and they are all the same.

ReplyQuote
Posted : 15/11/2005 12:24 am
FrancoisSeegers
(@francoisseegers)
New Member

Hi All,

Thanks for all the suggestions, tests that you executed and comments so far.

At present what we found during our investigation is that all files that were possibly copied have all the same "Last Accessed" date/times. We started to identify and test which applications/programs or events could have caused this to happen. We are now eliminating the events where this is impossible and will then end up with a few scenarios where this is possible.

For example, if you select all files in a directory and drag and drop it into Nero for copying and then write it to disc. This should change the last accessed date and make all last accessed dates the same.

Regarding the devices, we have identified thanks to you all, the devices that was attached to the pc’s

I will let you all know the outcome…

FS

ReplyQuote
Posted : 15/11/2005 10:59 am
keydet89
(@keydet89)
Community Legend

FrancoisSeegers,

> Regarding the devices, we have identified thanks to you all, the devices that was attached to the pc’s

Can you share your methodology for doing so?

H

ReplyQuote
Posted : 15/11/2005 8:37 pm
Page 2 / 2
Share: