Hi all
I am trying to spot where a user has copied files to an external drive.
I know they connected a USB drive on the day I am interested in, I would like to see evidence of a copy if that is possible?
First thing I can think of is to GREP search unallocated for any LNK files.
I am terrible at GREP, does anyone know the correct way to search for file relating to I\ or J\ (these are the drive letters that we suspect were used)
They could be any type of file really, not just limited to windows docs.
Thank you!
Assuming a Windows OS, you won't be able to find a log of if or what's been copied. The only history information available in Windows is a fact that a certain USB device (with its unique ID) was connected at a certain time. Here are a few links to get you started
http//
http//
Also these links
http//
https://
Hi
Thanks!
I was saying this to my colleagues but we wanted to be 100% sure.
Cheers for the information )
First thing I can think of is to GREP search unallocated for any LNK files.
I'm not sure that I follow this line of reasoning…could you elaborate a bit?
I can see this if the user double-clicked a file located on an external device, and that file were then opened in the appropriate application, an LNK file would be located in the user's Recent folder (and, depending upon the version of Windows, other artifacts would be created, as well). However, this is simply an indication of the user opening the file from it's location…not specifically of a copy operation.
Now, I know that the LNK file contains file time stamps…several in the shell item ID list, as well as in the header, that may be useful. You could locate the file in it's original location, and compare the time stamps, taking into account things such as source and destination file system, as well as the granularity of the time stamps (i.e., time stamps in the shell item ID list have granularity of 2 seconds).
You also have to keep in mind the version of Windows you're examining, and in particular whether last access times on files are updated or not.
Overall, I would appreciate seeing other's thoughts on detection of copy operations (and *just* copy operations, with no subsequent actions) from a Windows system to a thumb drive. This question seems to come up a lot, and I wonder if there would be a way to gather enough circumstantial evidence of a copy operation using *just* the source system…
Technically, copy operations are not logged in Windows. Granted, if you copy a file between two NTFS volumes, you may get something by analyzing the transaction log file; however, this won't be available for a pen drive.
Opening certain types of files directly from a pen drive may (depending on certain factors) result in the creation of corresponding .lnk files. However, simply copying files from the PC and onto the pen drive will generally leave no traces other than changed "last access time" attributes of files stored on the NTFS volumes (unless disabled http//
Assuming a Windows OS, you won't be able to find a log of if or what's been copied. The only history information available in Windows is a fact that a certain USB device (with its unique ID) was connected at a certain time. /
Not necessarily true,although not a log, on Windows 7 computers the Windows.edb file may have indexed the pen drive and would show the filenames on the drive as well as the first time they were 'spotted' by windows.
Esedb viewer is a good tool for viewing the Windows.edb, although you may need to repair the database first. Can be done using esentutl.exe which is on Windows 7 system.
You would need to extract to MSS file and MSS00x files from the directory with windows.edb in as well as windows.edb file
Command line is esentutl.exe /r mss -d (i think)
Normally, Windows 7 will not index USB drives. Quote "Windows Search 4.0 (installed on Windows XP) can index removable drives, but Windows 7 (which uses Windows Search 4.0) cannot because the USB device identifies itself as a "Removable" drive and Windows 7 refuses to index removable drives."
Normally, Windows 7 will not index USB drives. Quote "Windows Search 4.0 (installed on Windows XP) can index removable drives, but Windows 7 (which uses Windows Search 4.0) cannot because the USB device identifies itself as a "Removable" drive and Windows 7 refuses to index removable drives."
Do you have a URL for that quote?
Normally, Windows 7 will not index USB drives. Quote "Windows Search 4.0 (installed on Windows XP) can index removable drives, but Windows 7 (which uses Windows Search 4.0) cannot because the USB device identifies itself as a "Removable" drive and Windows 7 refuses to index removable drives."
I've had 2 cases where an external drive was indexed, one was a usb hard disk and one was a pen drive. It might be a long shot and it may not have been indexed, but if you don't look you don't find )
Do you have a URL for that quote?
I don't remember where that fragment was snipped from, but here's the prooflink
http//
Drive Exclusions
On Windows 7 and Windows Vista, removable drives are not indexed by default.
Note If removable drives report themselves as fixed drives, you can add them to be indexed even if they are actually removable. Information will remain in the index and Windows Search will do an incremental crawl to reconcile indexing results when the removable disk is plugged in again. Because USB flash drives report themselves as removable, they cannot be indexed.