Finding evidence of...
 
Notifications
Clear all

Finding evidence of a copy to external USB (GREP help)  

  RSS
Cerveza
(@cerveza)
New Member

Hi all

I am trying to spot where a user has copied files to an external drive.

I know they connected a USB drive on the day I am interested in, I would like to see evidence of a copy if that is possible?

First thing I can think of is to GREP search unallocated for any LNK files.

I am terrible at GREP, does anyone know the correct way to search for file relating to I\ or J\ (these are the drive letters that we suspect were used)

They could be any type of file really, not just limited to windows docs.

Thank you!

Quote
Posted : 13/05/2013 2:42 pm
Belkasoft
(@belkasoft)
Active Member

Assuming a Windows OS, you won't be able to find a log of if or what's been copied. The only history information available in Windows is a fact that a certain USB device (with its unique ID) was connected at a certain time. Here are a few links to get you started

http//www.forensicswiki.org/wiki/USB_History_Viewing

http//blogs.technet.com/b/heyscriptingguy/archive/2012/05/18/use-powershell-to-find-the-history-of-usb-flash-drive-usage.aspx

Also these links

http//www.securityhunk.com/2010/07/how-to-retrieve-usb-history-and-delete.html

https://www.anti-forensics.com/delete-usb-device-history-from-the-windows-registry-usbstor-key-and-the-setupapilog/

ReplyQuote
Posted : 13/05/2013 3:52 pm
Cerveza
(@cerveza)
New Member

Hi

Thanks!

I was saying this to my colleagues but we wanted to be 100% sure.

Cheers for the information )

ReplyQuote
Posted : 13/05/2013 4:08 pm
keydet89
(@keydet89)
Community Legend

First thing I can think of is to GREP search unallocated for any LNK files.

I'm not sure that I follow this line of reasoning…could you elaborate a bit?

I can see this if the user double-clicked a file located on an external device, and that file were then opened in the appropriate application, an LNK file would be located in the user's Recent folder (and, depending upon the version of Windows, other artifacts would be created, as well). However, this is simply an indication of the user opening the file from it's location…not specifically of a copy operation.

Now, I know that the LNK file contains file time stamps…several in the shell item ID list, as well as in the header, that may be useful. You could locate the file in it's original location, and compare the time stamps, taking into account things such as source and destination file system, as well as the granularity of the time stamps (i.e., time stamps in the shell item ID list have granularity of 2 seconds).

You also have to keep in mind the version of Windows you're examining, and in particular whether last access times on files are updated or not.

Overall, I would appreciate seeing other's thoughts on detection of copy operations (and *just* copy operations, with no subsequent actions) from a Windows system to a thumb drive. This question seems to come up a lot, and I wonder if there would be a way to gather enough circumstantial evidence of a copy operation using *just* the source system…

ReplyQuote
Posted : 13/05/2013 6:06 pm
Belkasoft
(@belkasoft)
Active Member

Technically, copy operations are not logged in Windows. Granted, if you copy a file between two NTFS volumes, you may get something by analyzing the transaction log file; however, this won't be available for a pen drive.

Opening certain types of files directly from a pen drive may (depending on certain factors) result in the creation of corresponding .lnk files. However, simply copying files from the PC and onto the pen drive will generally leave no traces other than changed "last access time" attributes of files stored on the NTFS volumes (unless disabled http//www.pctools.com/guides/registry/detail/50/ ). Knowing the time the USB device was last inserted, you can try guessing which files could be copied onto that device by looking at this NTFS attribute.

ReplyQuote
Posted : 13/05/2013 6:56 pm
minime2k9
(@minime2k9)
Active Member

Assuming a Windows OS, you won't be able to find a log of if or what's been copied. The only history information available in Windows is a fact that a certain USB device (with its unique ID) was connected at a certain time. /

Not necessarily true,although not a log, on Windows 7 computers the Windows.edb file may have indexed the pen drive and would show the filenames on the drive as well as the first time they were 'spotted' by windows.

Esedb viewer is a good tool for viewing the Windows.edb, although you may need to repair the database first. Can be done using esentutl.exe which is on Windows 7 system.
You would need to extract to MSS file and MSS00x files from the directory with windows.edb in as well as windows.edb file

Command line is esentutl.exe /r mss -d (i think)

ReplyQuote
Posted : 13/05/2013 7:27 pm
Belkasoft
(@belkasoft)
Active Member

Normally, Windows 7 will not index USB drives. Quote "Windows Search 4.0 (installed on Windows XP) can index removable drives, but Windows 7 (which uses Windows Search 4.0) cannot because the USB device identifies itself as a "Removable" drive and Windows 7 refuses to index removable drives."

ReplyQuote
Posted : 14/05/2013 1:16 am
keydet89
(@keydet89)
Community Legend

Normally, Windows 7 will not index USB drives. Quote "Windows Search 4.0 (installed on Windows XP) can index removable drives, but Windows 7 (which uses Windows Search 4.0) cannot because the USB device identifies itself as a "Removable" drive and Windows 7 refuses to index removable drives."

Do you have a URL for that quote?

ReplyQuote
Posted : 14/05/2013 5:08 am
minime2k9
(@minime2k9)
Active Member

Normally, Windows 7 will not index USB drives. Quote "Windows Search 4.0 (installed on Windows XP) can index removable drives, but Windows 7 (which uses Windows Search 4.0) cannot because the USB device identifies itself as a "Removable" drive and Windows 7 refuses to index removable drives."

I've had 2 cases where an external drive was indexed, one was a usb hard disk and one was a pen drive. It might be a long shot and it may not have been indexed, but if you don't look you don't find )

ReplyQuote
Posted : 14/05/2013 12:34 pm
Belkasoft
(@belkasoft)
Active Member

Do you have a URL for that quote?

I don't remember where that fragment was snipped from, but here's the prooflink
http//msdn.microsoft.com/en-us/library/windows/desktop/bb266513(v=vs.85).aspx

Drive Exclusions

On Windows 7 and Windows Vista, removable drives are not indexed by default.

Note If removable drives report themselves as fixed drives, you can add them to be indexed even if they are actually removable. Information will remain in the index and Windows Search will do an incremental crawl to reconcile indexing results when the removable disk is plugged in again. Because USB flash drives report themselves as removable, they cannot be indexed.

ReplyQuote
Posted : 14/05/2013 4:44 pm
keydet89
(@keydet89)
Community Legend

Belka,

Thanks for the reference.

ReplyQuote
Posted : 14/05/2013 5:21 pm
jaclaz
(@jaclaz)
Community Legend

Well, the original is (slightly) more misguiding

Because USB flash drives report themselves as removable, they cannot be indexed.

USB sticks come (from factory) in 99.99% set as removable and formatted as "superfloppy" (usually in FAT32).
BUT it is possible (and actually done very often) to place a MBR on it (and optionally more than one partition/volume).
Windows will still see the device as removable and access only first volume on it (to be picky the partition which is in first entry of the MBR partitition table)
So quite a few people (in order to make "bootable sticks" for recovery etc. with multiple OS) change the state of the USB stick.
This can be done in two ways

  • "flipping the removable bit", i.e. using a Manufacturer Tool to let the USB stick be seen as "Fixed"
  • install in the Windows a "Filter driver" that can be either installed as "generic" (all USB removable devices) or "for a given device only" <- for the record the first of such drivers was developed by Hitachi to allow managing the IBM/Hitachi MicroDrive

So, it is much more common that a USB stick IS "Removable", but still it is very possible that a USB stick is "Fixed" (and thus possibly automatically indexed)

As a side note, and additionally, though it is of course the most normal case is that a USB stick is automounted to a drive letter at connection, if it is instead mounted to a mountpoint residing on a hard disk it should be indexed as well. ?

jaclaz

ReplyQuote
Posted : 14/05/2013 7:08 pm
pbobby
(@pbobby)
Active Member

Minime

Have you tested how quickly the data in the EDB file is cleaned up/deleted when USB devices are disconnected from the machine?

Assuming a Windows OS, you won't be able to find a log of if or what's been copied. The only history information available in Windows is a fact that a certain USB device (with its unique ID) was connected at a certain time. /

Not necessarily true,although not a log, on Windows 7 computers the Windows.edb file may have indexed the pen drive and would show the filenames on the drive as well as the first time they were 'spotted' by windows.

Esedb viewer is a good tool for viewing the Windows.edb, although you may need to repair the database first. Can be done using esentutl.exe which is on Windows 7 system.
You would need to extract to MSS file and MSS00x files from the directory with windows.edb in as well as windows.edb file

Command line is esentutl.exe /r mss -d (i think)

ReplyQuote
Posted : 21/05/2013 9:17 pm
Share: