Hi All,
Newbie in digital forensic. I would like to know, is there any log files in Windows system that recorded any documents/files transfered, remove, copy, delete, etc..? e.g, if I copy a document file (ABC.doc) from my system to another storage, USB drive storage (for example), how can I find the log in my system, that stated, that I have copied ABC.doc to a USB storage?
Will appreciate all the help that I can get from here.
Thanks
Hi All,
Newbie in digital forensic. I would like to know, is there any log files in Windows system that recorded any documents/files transfered, remove, copy, delete, etc..? e.g, if I copy a document file (ABC.doc) from my system to another storage, USB drive storage (for example), how can I find the log in my system, that stated, that I have copied ABC.doc to a USB storage?
Will appreciate all the help that I can get from here.
Thanks
First of all, what flavor of Windows are you working with? Although it probably won't matter in this case, it is always good to provide as much information about the environment you are working on to help others answer your questions.
Second, typically no. What you instead look for is circumstantial evidence LNK files, browser history, Shellbags. These can all provide some evidence of files existing on other devices which in turn may help prove that they were transferred to those other devices. If you are lucky, maybe you'll find a log file from a backup utility or compression utility which lists files being packaged up onto another device.
Hi All,
Newbie in digital forensic. I would like to know, is there any log files in Windows system that recorded any documents/files transfered, remove, copy, delete, etc..? e.g, if I copy a document file (ABC.doc) from my system to another storage, USB drive storage (for example), how can I find the log in my system, that stated, that I have copied ABC.doc to a USB storage?
Will appreciate all the help that I can get from here.
Thanks
First of all, what flavor of Windows are you working with? Although it probably won't matter in this case, it is always good to provide as much information about the environment you are working on to help others answer your questions.
Second, typically no. What you instead look for is circumstantial evidence LNK files, browser history, Shellbags. These can all provide some evidence of files existing on other devices which in turn may help prove that they were transferred to those other devices. If you are lucky, maybe you'll find a log file from a backup utility or compression utility which lists files being packaged up onto another device.
Hi,
Let's just say that it is in Windows XP environment.
And, is there any material that i should look at into this because i keep on searching on for system log files, event viewer, etc..maybe any reference that i should look into (i don't really know where to start off…)
Thanks,
Look for
1. LNK files that point to a file on a portable device
2. file// links in internet history that point to a portable device
3. registry entries for portable devices providing volume letters and times that the devices were hooked up (check out the book Windows Forensic Analysis)
4. Shellbag entries (look for copies of the application WRA.exe still on the internet)
There are no logs that will tell you files were copied. Can you get lucky and find some application used to copy files or back them up that left a log? Possibly. Once you have names of files from your analysis of the above 4 points, you can search for those file names on the hard drive and see where they show up. Maybe you'll find a log. In the numerous computers I have imaged, I've found that just once.
Izzudin
Since you offered that you were a newbie in digital forensics, let me offer you a great tip for discovering the answers to these questions.
Employ machine state tools (such as Regshot) and a process monitor tool (for example procexp by sysinternals).
I use both of these tools on a regular basis to answer those "what happens" types of scenarios.
For example, run Regshot (takes a snapshot of your registry and hard drive contents) and then perform your action, say, copying a file to a USB thumb drive. Then take a second Regshot and compare the two snapshots.
This will tell you what, if any, artifacts have changed/deleted/added during that process.
This is not guaranteed of course - some of the data may be in memory, and not ready to commit to the drive, but hey it's a start. Procexp, when configured properly, can also hint at file metadata changes also (i.e. timestamps).