Also
1. a smart attacker would manipulate it instead of deleting it.My point is that what we say a lot of times isn't necessarily grounded in actual data. Yes, a "smart attacker" would do that…from our perspective. But why bother if you don't have to?
Because everyone isn't sitting safe in a southeast asian country with a non cooperative law enforcement and they actually have to care about opsec, especially when going after more alert targets that do record pcaps of every bit going in and out of the network.
Don't get me wrong, i've seen similarly noisy attacks as you describe, but attackers slowly learn and evolve, and DFIR has to evolve with it and from what i read about blueteams in general is that they have much more on their todo list to catch up, and attacks as you say go unnoticed for months or even years.
I mean the USB flash are impossible to see from the side i look at the monitor screen, so it is easy to forgot to remove it, impossible to see with eyes, the monitor hidde it.
There is sensitives info on the USB flash, so that is the reason i search if somone have erased som traces from the log, have already tryed the program you send the link to.
So i just want to get some tip wich things i should look at, typically traces wich occur in this case.
Is that impossible to see if some log file is overwritten?
Is that impossible to see if some log file is overwritten?
No, but - with all due respect - you seem like either needing a tin foil hat 😯 or some new, solid, security procedures AND a deeper approach to incident response.
If you have the kind of sensible information that may require protection, you should have implemented far better safety/security measures/protocols to avoid the risk of "I may have forgotten …" and (as suggested as an example) add to the system specific USB logging, and of course not even think of leaving anyone, ever, with a local access to the machine unsupervised (or not filmed).
A relative little number of people may be aware of methods to delete (actually to de-index) an event in a system log, I doubt that any of them were after you, as it is not easy-peasy or particularly reknown. however the good (fresh) news are that it is possible to check for the integrity of the logs
https://www.forensicfocus.com/Forums/viewtopic/t=16137/
Also, I still don't understand the details of the incident, but if you left unattended the actual USB stick (i.e. you are not sure on its whereabouts for one week) it is more probable that it was read/copied on another computer as it would have been simpler.
More generally - if you suspect any non-authorized activity on your PC - the "advised" procedure is NOT that of checking "just" the system logs (or this or that particular thing), but rather that of doing a complete timeline of all the activities on the system.
jaclaz