Performing analysis on Windows machine, trying to determine whether documents were exfiltrated.
First question: Is the Last Accessed Timestamp logged within a MS Office document (Word,Excel,Ppt) when the document is moved? (copied to flash drive and/or uploaded to cloud).
Second Question: Is a "Last Accessed Timestamp" logged on an MS Office document when it is deleted?
I've determined when a flash drive was connected using Windows Event Logs - Storage Device Events, ID #1006 and am looking at timestamps that occur during the connected timeframe. Unfortunately, there is also Google drive web browser activity and file deletions occurring near the same time. Trying to determine what I can accurately report reference the activity.Â
Performing analysis using Magnet Axiom. I want to learn more about what artifacts are created when a document is uploaded to the cloud. Any blogs or articles reference this topic would be greatly appreciated.Â
Thank you.
I was able to determine when a flash drive was connected by using the Windows Event Logs - Storage Device Events, ID #1006. Currently, I am looking at timestamps that occur during the connected timeframe in order to find out what happened during that time. Unfortuitously, there is also activity in the web browser that is associated with Google Drive, and files are being deleted in close proximity to one another. I'm trying to figure out what information I can report accurately in relation to the activity, and right now I'm trying to decide what that information is.
