All, this is my first posting so i hope i have put it in the right place!
I want to prove that an individual copied files to a usb storage device.
Complictaing factors are that the files were stored on a server and accessed via lnk files.
The lnk files have accessed times around the right time when looked at in isolation, but when checked the whole drive has consecutive times as if the drive is being checked by a virus scan, therefore making the last accessed times useless.
So the question is…… are files that are copied to an external drive recorded anywhere? If so where?
On the workstation used for the copy will be registry (USBSTOR) and \documents and settings\username\recent artifacts of interest.
The lnk files have accessed times around the right time when looked at in isolation, but when checked the whole drive has consecutive times as if the drive is being checked by a virus scan, therefore making the last accessed times useless.
Hallo
Remember that inside a link file there are three date/time stamps including the last accessed date and time of the date time the link file accessed the file it is pointing to. This is not changed by a virus scan.
Another useful place to look is in the NTUSER.DAT.
Here you will find items such as 'BagsMRU' and 'StreamMRU'. If you use something like Windows Registry Analyser you can easily browse through to see if any of the suspected files or folders are listed in there.
Also, link files retain the volume serial of the host device. That means that, if you know that piece of information about the device it is easier to tie a link file top the device.
ddow said that the USBSTOR artifact would be of interest - he's spot on there. This is located in the SYSTEM registry file. This is also tied to the USB portion of the registry. You can find the VID (Vendor ID) and PID (Product ID) of each USB device plugged into the computer. You can then identify exactly what the USB storage device was so you know what to look for.
You can also look in the setupapi.log file to see when this device was plugged into the computer.
If I think of anything else I'll post back.
So the question is…… are files that are copied to an external drive recorded anywhere? If so where?
No, it isn't. What you need is to get the external media for analysis, then check the files that are there…compare via MD5 hashes, and then check the MAC times on the files in order to determine if they were copied from the server to the external device, or vice versa.
Another useful place to look is in the NTUSER.DAT.
Yeah, NTUSER.dat bring interesting informations about activity on a PC
MRU Last Visited NTUSER.DAT \Software\Microsoft\Windows\Current
Version\Explorer\ComDlg32\LastVisited MRU\
MRU Open Saved NTUSER.DAT \Software\Microsoft\Windows\Current
Version\Explorer\ComDlg32\OpenSaveMRU\
MRU Recent Documents NTUSER.DAT \Software\Microsoft\Windows\Current
Version\Explorer\RecentDocs\
MRU – Run MRU NTUSER.DAT \Software\Microsoft\Windows\Current
Version\Explorer\RunMRU
Search MRU NTUSER.DAT \Software\Microsoft\SearchAssistant\ACMru
Windows MediaPlayer MRU NTUSER.DAT \software\Microsoft\MediaPlayer\Player\
I use Windows Registry Recovery (it's free)
This is a very interesting thread, in that all but one of the responses actually directly addresses the original question…