Good morning/afternoon!
Need a spot of help here…first, are any registry entries detailing date and time made when a user plugs in a digital camera via USB and the vendor's software begins to download the images?
2nd, is there a way to determine if everything placed in a folder on a Windows XP Pro OS PC is going to be encrypted, or if each file was encrypted individually?
Thanks for any help!
Chris
Need a spot of help here…first, are any registry entries detailing date and time made when a user plugs in a digital camera via USB and the vendor's software begins to download the images?
Other than USBSTOR?
2nd, is there a way to determine if everything placed in a folder on a Windows XP Pro OS PC is going to be encrypted, or if each file was encrypted individually?s
Just from general practice it is going to be much easier to have an encrypted folder that is mounted and dismounted rather than having to decrypt each file individually everytime the user wants to view the file. If the files are being shared or E-Mailed then they are usually encrypted by the compression program (typically RAR). For individual files you can often look at the header, although BestCrypt V8 introduced a plausible deniability "feature" where you can encrypt the headers of its container files where the container just looks like it is filled with random data.
All that aside here is a little guide on EFS
Can you share more info?
Need a spot of help here…first, are any registry entries detailing date and time made when a user plugs in a digital camera via USB…
Yes, there are several. The first time a USB storage device is connected to a system, that connection is documented in a file. The last time that the device is removed from the system is documented under the DeviceClasses Registry key.
All of this is documented in "Windows Forensic Analysis".
…and the vendor's software begins to download the images?
It probably depends on the software, but I'd think that perhaps a Prefetch file might tell you something. Again, depending upon the software, the app might have an MRU list that it maintains in the Registry.
However, there isn't any need for such things in most cases…the camera is treated like a USB removable storage device, and the user can easily copy files from the device without leaving any apparent artifacts.
BitHead/KeyDet
Thanks for the information! I didn't know that Windows would treat digital cameras as a USB Storage device, though it does make since in hindsight.
In reference to the Encryption, it is EFS, and I believe based on the user's login. As long as that user is logged in, the data in question would be decrypted and viewable. However, if another user logged in and looked at the data, or the hard drive was removed and examined, the data would need to be decrypted first…correct?
I know that a person can flag a folder to "EFS" encrypt contents "for security" automatically, and any file placed in that folder gets encrypted. I'm attempting to determine if this setting has been enabled, and where to go to determine if that is the case. I'm leaning toward the belief that each file was encrypted individually, but I'm looking for a place to start digging to verify this.
Thanks!
Chris
BitHead/KeyDet I didn't know that Windows would treat digital cameras as a USB Storage device…
It may not. XP supports, and digital cameras may use, Picture Transfer Protocol (PTP) to access and download images from the camera. In these cases, the camera would not be mounted as a device, and may not appear in the USBSTOR key or the setupapi.log file. That doesn't mean that the images could not have been transfered to an EFS folder or later EFS'ed individually. Some cameras that use PTP by default include a setup menu oprtion that allows the user to mount the camera as a device.