Hi All
Thanx 4 all the replies so far. I think a bit more information should be given. We have 5 programmers who alledgedly stole the companies source code consisting of 20 000 files. this was apparantly done 2 months ago, before they left to start their own firm. we have a witness but would like to validate this. There is no logging on the server on who accessed/copied or altered anaything. and only have backups for the past 15 days. We only have their computers after its been cleaned out, deleted by them before they left. We hashed all the files and matched it with their laptops and found 15 000 of the files. Problem is they did work with and on the code and we need concrete proof that they copied it out to CD or flash drive before we can move in on the new business. Hope it makes more sence
techmerlin,
Could you do us all a favor? Could you write up something definitive on the contents of the HKLM/System/ControlSetxxx/Enum/IDE key? In particular, I think it would be useful if you could describe how to identify currently active devices on the system from the contents of this key, as well as how to locate devices that had been installed but since removed.
For example, under that key on my current system, I have 8 keys that point to CDs…NEC, Phillips, Samsung, etc. However, my system only has one CD (NEC), and has never had another. My system was NOT installed from a ghost image. If my system were imaged, how would I determine which device was present at the time of the imaging? How could I determne which devices had been installed, and then removed?
FrancoisSeegers,
That's much more clear now, with regards to what you're looking for, and what you have available to you. Since you've stated that you're not sure of the method used to abscond with the files in question, about all you can do is perform a methodological search. List out the possibilities, and rule them out one at a time, thoroughly, documenting all that you do. Remember, the steps that you take should be reproduceable.
You'll need to check the Registry for installed devices (see above). Also check for installed software components. This may give you a clue as to which CD/DVD-writing software was used, if any.
The UserAssist key may provide you with some clues as to programs that were run.
As the system is XP, check the Prefetch directory for evidence of programs launched.
Check shortcuts/.lnk files for evidence of the external storage devices.
Don't rule out file transfers…
HTH,
H. Carvey
"Windows Forensics and Incident Recovery"
windowsir.blogspot.com
For example, under that key on my current system, I have 8 keys that point to CDs…NEC, Phillips, Samsung, etc. However, my system only has one CD (NEC), and has never had another. My system was NOT installed from a ghost image. If my system were imaged, how would I determine which device was present at the time of the imaging? How could I determne which devices had been installed, and then removed?
I agree with Harlan having found the same on my own notebook which I put together from scratch. It's still a good place to look though, just keep in mind that it's not (at least in my experience), definitive.
Harlan and Greg,
these other devices you see, what are they listed as under IDE (Disk, CDRom) it should be the first part of the name
(e.g. CdRomQSI_CDRW/DVD_SBW-241)
Thanks
techmerlin,
Could you do us all a favor? Could you write up something definitive on the contents of the HKLM/System/ControlSetxxx/Enum/IDE key? In particular, I think it would be useful if you could describe how to identify currently active devices on the system from the contents of this key, as well as how to locate devices that had been installed but since removed.
For example, under that key on my current system, I have 8 keys that point to CDs…NEC, Phillips, Samsung, etc. Each of the eight key names begins with "CdRom". However, my system only has one CD (NEC), and has never had another installed since it's been in my possession. My system was NOT installed from a ghost image. If my system were imaged, how would I determine which device was present at the time of the imaging? How could I determne which devices had been installed, and then removed?
H. Carvey
"Windows Forensics and Incident Recovery"
windowsir.blogspot.com
FrancoisSeegers,
I think it will be very difficult to prove that they copied the data this way.
They needed the data for their work and their computers were cleaned.
The evidence you are looking for will be on the computers they are using right now. I don't know about South Africa. But you have a witness, they cleaned their computers and left together. In the Netherlands you would probaly have enough to get a court order en let a process server (if this is the correct word) make an image of their current computers.
grtz
Harlan,
I have been swamped lately and not had time to sit down and do a few more tests on this. Up to this point the testing I have done has shown that key to contain the relevant devices that have been present (from the OS perspective) on that system.
I have seen where the OS has detected a device or used a different driver that the true hardware that is or has been in the system and registered the device as the device it BELIVES it is.
What can you tell me about your system, have you ever had a driver for the device other than the current one you are using now? Was your system build by you? Can you tell me without a doubt if it’s ever been in for repair / testing or warranty where perhaps another device could have been attached?
Thanks
Hi chaps, I've been following this thread and although I've not had time to really test results I checked the 3 XP machines I'm running here and all 3 only show the devices I know have been attached in the HKLM/System/ControlSetxxx/Enum/USBSTOR key. One key entry was a mystery until I checked the docs on the system and it was referencing an internal usb port/driver.
I used this key recently to demonstrate that a USB hard drive had been attached to a system and so files could have been removed this way, however I am not confident to go any further than that at this stage.
If I get some time I'll have a real dig.
Nick
techmerlin,
I have seen where the OS has detected a device or used a different driver that the true hardware that is or has been in the system and registered the device as the device it BELIVES it is.
Sorry, this doesn't really tell me much. Was this a newly-added device, or was it a device that was already in the system, but for some reason Windows decided to use a different driver?
…have you ever had a driver for the device other than the current one you are using now?
Had? As in just have available? Sorry, but your question makes no sense.
Was your system build by you?
No, it was built by Dell. As soon as it arrived, I formatted the drive, reinstalled the operating system, updated the drivers from the CDs, and then went out to the Dell site to see if there were any other updates.
Can you tell me without a doubt if it’s ever been in for repair / testing or warranty where perhaps another device could have been attached?
Yes, I can.
Sorry folks I was working on to may things today. Where you want to look in the registry would be
HKLM/System/ControlSetxxx/Enum/
Under that the ones you may want to pay attention to are things like USB or USBSTOR and even IDE if perhaps a user had an internal drive that is no longer present.
I'd ask you for specifics on what to look for under /Enum/IDE, but it seems that you're a bit swamped and don't have the time to respond in a more comprehensive manner. There is a lot of stuff under the /Enum/IDE key…and knowing what to look for is more important than just looking.
If someone needs to know what to look for, drop me an email.
Harlan
Harlan,
I am not sure your previous post had anything at all to do with the original post or was it more trying to pick fault taking bits and pieces from different posts.
I think everyone would like to see the answer to this, so why not enlighten us with your knowledge as it would appear you are testing everyone for an answer you claim to already have.
