Evidence file trans...
 
Notifications
Clear all

Evidence file transfert to USB storage.  

Aquachimere
(@aquachimere)
Junior Member

Hello,

 

Could you confirm to me that to prove a data exfiltration on a windows 7
towards a usb support, you have to analyze the $mft and the shellbags,
as well as the event.

A copy of a folder or file, for example, would leave
traces in the shellbags, because opening a logical volume.
Are you looking for other artifacts?

thank you

Quote
Topic starter Posted : 30/11/2020 10:42 am
jaclaz
(@jaclaz)
Community Legend

Before that I would check for the connection of the USB device, the drive letter and GUID assigned to the volume (that in case of a "first time connected USB" provides a definite timestamp), etc.

jaclaz

ReplyQuote
Posted : 30/11/2020 1:10 pm
Aquachimere
(@aquachimere)
Junior Member

@jaclaz

Hello

I have already checked it, 
it was a telephone connected to usb, the person claims to recharge.
I found the trace of this phone and the connection timestamp
but no logical volume mounted,
I deduced no exfiltration, but I checked the shellbags and the mft.
I haven't seen anything positive. Hence my question if I could forget something.
 
ReplyQuote
Topic starter Posted : 30/11/2020 1:34 pm
Bunnysniper
(@bunnysniper)
Active Member
Posted by: @aquachimere

Could you confirm to me that to prove a data exfiltration on a windows 7 

towards a usb support, you have to analyze the $mft and the shellbags,
as well as the event.

A copy of a folder or file, for example, would leave
traces in the shellbags, because opening a logical volume.

There are copy jobs possible without leaving traces as shellbags. Connecting a USB device and copying files via commandline would not generate shellbags entries. 
In most cases the Windows Explorer is really used, so shellbags analysis makes sense. Do not forget to check .lnk files from "recent" and prefetch entries for explorer.exe, too.

regards,

Robin

ReplyQuote
Posted : 30/11/2020 1:48 pm
UnallocatedClusters
(@unallocatedclusters)
Senior Member

We had a recent case in which the computer user installed Seagate's Toolkit (Toolkit Support | Seagate Support US) software in order to copy files from the computer to an external USB drive.

None of our forensic tools could identify any USB drive connection artifacts at all, but a specific log file within the Toolkit installation folder on the computer recorded details of all files and folders copied to the external USB drive and on which dates.

So one technique is to generate a searchable index of the computer being investigated, and then run key word search terms reasonably calculated to lead to positive hits.  The aforementioned technique is what led us to the Seagate Toolkit log file.

ReplyQuote
Posted : 30/11/2020 10:05 pm
Neeru
(@neeru)
New Member

Checking the USB Device ID, last connected date-time stamp along with a correlation with .lnk files (windows system) for the same date-time stamp may also suggest or throw some light on files transferred to USB, if any. In my career experience as Digital Forensic Expert, I have found Magnet AxioM (Connection option) useful in such cases of suspected data transfer to USB files.

ReplyQuote
Posted : 01/12/2020 6:26 am
Aquachimere
(@aquachimere)
Junior Member

Ok thanks all for your replies.

 
i think the person plugged in the phone just to charge it with usb, even though
these connections are forbidden, he had an emergency to charge. I saw nothing else in the artefacts proving an exfiltration
ReplyQuote
Topic starter Posted : 01/12/2020 7:52 am
jaclaz
(@jaclaz)
Community Legend
Posted by: @aquachimere

Ok thanks all for your replies.

 
i think the person plugged in the phone just to charge it with usb, even though
these connections are forbidden, he had an emergency to charge. I saw nothing else in the artefacts proving an exfiltration

Well, the company, if the security issues are so relevant, could issue power-only USB cables.

jaclaz

ReplyQuote
Posted : 01/12/2020 8:46 am
Share: