Hi
I was curious if there is a way to do a forensic analysis of an external drive that may prove that data was either copied on/from to it from/to certain sources?
Cheers
Hi,
Do you have access to the system you think it attached to?
You could look for signs of mass copy buy matching up the last time the drive was introduced vs last modified date / access date.
I think the answer to your question maybe No.
One area to investigate could be the creation time of files. The creation time is when a file was created or copied to a drive.
If a file has a modied date of 1st of the month, but creation date of 5th of the month this would indicate an existing file was copied to the drive on the 5th.
For reading a file, the access date may be of use - but often this is not updated. It could also be changed by a anti virus scan.
The problem is I only have access to the external drive. I know it's a long shot to actually tie it down, but I was hoping if anyone knew a way to get this information.
If you want to tie this external drive to a specific system by ONLY conducting analysis on the external drive itself, the answer is no.
You would absolutely need some type data to correlate with the potential computer systems data was copied to/from. The list of possibilities in this case COULD be numerous depending on what's available on the external drive and also still present on the system of interest.
Long shot, but if you, against all odds, found a shortcut that pointed to a file on the original system, the metadata could point to the system.
That's all I got.
Long shot, but if you, against all odds, found a shortcut that pointed to a file on the original system, the metadata could point to the system.
Would you mind elaborating on this hypothesis?
I'm kind of curios at to the "long shot", as well.
While I agree that *if* such a shortcut/LNK file is found, then it would prove beneficial. However, if a user were to copy/move files over to the external drive and then double-click the file to view it's contents and ensure that it was copied correctly, the shortcut/LNK file would be created in the user's profile, pointing to the external storage device…it wouldn't be created on the external storage device.
The solution to the original question really depends on what's on the external drive. Various file/document formats contain metadata that may point to another system…so, do you know what files are on the external hard drive, either as part of the logical file system or as a result of carving?
Would you mind elaborating on this hypothesis?
Shortcuts contain the volume serial number and label of the target partition. They also contain the system name and MAC address of the target system.
If the user created a shortcut on the external drive to a file on the host system, the link file may have the above information showing a link.
[quote="keydet89']
While I agree that *if* such a shortcut/LNK file is found, then it would prove beneficial. However, if a user were to copy/move files over to the external drive and then double-click the file to view it's contents and ensure that it was copied correctly, the shortcut/LNK file would be created in the user's profile, pointing to the external storage device…it wouldn't be created on the external storage device.
Obviously. But he don't have the host system, just the external drive. I was giving a possible way to link the external drive to a host system. Once the link is established, maybe he can expand scope to find the host system (search warrant or something).
But, without the host, proving files were copied to/from is nigh on impossible since there is no reference point.