Hi All,
Is there a way to determine if files on a computer were copied over to external drive?
Hi All,
Is there a way to determine if files on a computer were copied over to external drive?
No. Using a default set-up of XP for example, no record is made or kept of what has been copied.
There are a lot of caveats and ifs involved here, but there may be indirect ways to infer that files have been copied to an external drive.
For example, if the device was a USB drive, you could look in the registry at the lastwrite times for the USBSTOR keys and see if any correspond to the last access times for the files in question.
If a USB device was inserted into the computer and then a number of files were copied to it, these are two values that should change at approximately the same time.
This might work particularly well if the user copied a large number of files (i.e. folders worth) to an external USB and never used that USB device again on the computer.
Of course lots of things change file access times. If the same USB was used later on that computer, it's USBSTOR registry key's lastwrite time would change too.
Then again, you could always look at the registry key times in the restore points.
Not really my field of expertise however, so I hope I haven't said anything too stupid…
There are a lot of caveats and ifs involved here, but there may be indirect ways to infer that files have been copied to an external drive.
For example, if the device was a USB drive, you could look in the registry at the lastwrite times for the USBSTOR keys and see if any correspond to the last access times for the files in question.
If a USB device was inserted into the computer and then a number of files were copied to it, these are two values that should change at approximately the same time.
This might work particularly well if the user copied a large number of files (i.e. folders worth) to an external USB and never used that USB device again on the computer.
Of course lots of things change file access times. If the same USB was used later on that computer, it's USBSTOR registry key's lastwrite time would change too.
Then again, you could always look at the registry key times in the restore points.
Not really my field of expertise however, so I hope I haven't said anything too stupid…
If there was a mass copy, you will see a lot of files with the same last access time. As stated by erowe, looked at the registry to see what USB devices have been attached to the computer. It will only show the first time a USB device was attached.
If there was a mass copy, you will see a lot of files with the same last access time.
Not if it was a thumb drive, as it'll be formatted with FAT which cannot record last access times, only last access dates.
Also the inferences here and above assume the examiner would be in possession of the USB drive as well as the computer, which is very rarely the case in most situations (such as IP theft) where evidence of copying files to an external drive is required.
http//
Yup…
Lots of assumptions here.
I was mostly asking myself what would I see on the most common OS & file system (XP & NTFS) if someone had copied files to the most likely of portable devices (USB thumb drive).
Access times on the files would be the tip off that they had been copied out.
A USBSTOR entry in the registry with approximately the same time would suggest that buddy popped in his thumb drive (for the first time) to copy the files.
Then, if you can get a search warrant, you might be able to find his thumb drive and link it to the USBSTOR entry through the info in the entry (friendly name, hardware ID, serial number related info, etc.) - even if the data was no longer on the USB.
Here's a link to the USB history page at the Forensic Wiki
Access times on the files would be the tip off that they had been copied out.
Access times on a file tell you wen it was accessed…not when it was copied. There are lots of things that go on on a Windows system…doing a search of last access times will likely show a number of files accessed within a certain time window, the majority of which were never copied or even accessed by the user; they were likely accessed by the OS.
A USBSTOR entry in the registry with approximately the same time would suggest that buddy popped in his thumb drive (for the first time) to copy the files.
Actually, that's not the case…please refer to the link to the Forensic Wiki that you provided in your post. Within that Wiki entry, you'll see the following in reference to two GUID Registry keys beneath the DeviceClasses key
"To determine when the device was last connected to the system, obtain the LastWrite time value from the respective Disk and Volume GUID Registry keys for the device."
Hope that helps.
keydet89, based on your last post, is it not true that if you see that there are, lets say 100 files, showing a last accessed date from the same day and the time from 100 PM to 102 PM that you could say that the files were copied or moved to another location?
As for the USB device, I thought that you could only see the first instance of when the USB device was attached in the registry.
keydet89, based on your last post, is it not true that if you see that there are, lets say 100 files, showing a last accessed date from the same day and the time from 100 PM to 102 PM that you could say that the files were copied or moved to another location?
As for the USB device, I thought that you could only see the first instance of when the USB device was attached in the registry.
You could say that it is a "likely scenario" that the files had been copied, but performing a file copy isn’t the only thing that can change access dates in a continuous order.
If you can match the times up with other evidence such as registry entries, then that will help re-enforce the findings.
When you only have the source disk keep in mind your working from the nagative. Saying definatively that something has been copied if you dont have access to the target disk or any other supporting information would be very dangerous IMO.
keydet89 is right in that the registry only stores the LAST date/time the usb device was attached through the last modification date of registry keys.