Notifications

Clear all

Finding evidence of a copy to external USB (GREP help)

Cerveza · 2013-05-13T13:42:37Z

Hi allI am trying to spot where a user has copied files to an external drive.I know they connected a USB drive on the day I am interested in, I would like to see evidence of a copy if that is possible?First thing I can think of is to GREP search unallocated for any LNK files.I am terrible at GREP, does anyone know the correct way to search for file relating to I or J (these are the drive letters that we suspect were used)They could be any type of file really, not just limited to windows docs.Thank you!

Page 2 / 2 Prev

General (Technical, Procedural, Software, Hardware etc.)

Last Post by pbobby 12 years ago

13 Posts

6 Users

0 Reactions

2,723 Views

RSS

keydet89

(@keydet89)

Famed Member

Joined: 21 years ago

Posts: 3568

14/05/2013 5:21 pm

Belka,

Thanks for the reference.

ReplyQuote

jaclaz

(@jaclaz)

Illustrious Member

Joined: 18 years ago

Posts: 5133

14/05/2013 7:08 pm

Well, the original is (slightly) more misguiding

Because USB flash drives report themselves as removable, they cannot be indexed.

USB sticks come (from factory) in 99.99% set as removable and formatted as "superfloppy" (usually in FAT32).
BUT it is possible (and actually done very often) to place a MBR on it (and optionally more than one partition/volume).
Windows will still see the device as removable and access only first volume on it (to be picky the partition which is in first entry of the MBR partitition table)
So quite a few people (in order to make "bootable sticks" for recovery etc. with multiple OS) change the state of the USB stick.
This can be done in two ways

"flipping the removable bit", i.e. using a Manufacturer Tool to let the USB stick be seen as "Fixed"
install in the Windows a "Filter driver" that can be either installed as "generic" (all USB removable devices) or "for a given device only" <- for the record the first of such drivers was developed by Hitachi to allow managing the IBM/Hitachi MicroDrive

So, it is much more common that a USB stick IS "Removable", but still it is very possible that a USB stick is "Fixed" (and thus possibly automatically indexed)

As a side note, and additionally, though it is of course the most normal case is that a USB stick is automounted to a drive letter at connection, if it is instead mounted to a mountpoint residing on a hard disk it should be indexed as well. ?

jaclaz

ReplyQuote

pbobby

(@pbobby)

Estimable Member

Joined: 16 years ago

Posts: 239

21/05/2013 9:17 pm

Minime

Have you tested how quickly the data in the EDB file is cleaned up/deleted when USB devices are disconnected from the machine?

Assuming a Windows OS, you won't be able to find a log of if or what's been copied. The only history information available in Windows is a fact that a certain USB device (with its unique ID) was connected at a certain time. /

Not necessarily true,although not a log, on Windows 7 computers the Windows.edb file may have indexed the pen drive and would show the filenames on the drive as well as the first time they were 'spotted' by windows.

Esedb viewer is a good tool for viewing the Windows.edb, although you may need to repair the database first. Can be done using esentutl.exe which is on Windows 7 system.
You would need to extract to MSS file and MSS00x files from the directory with windows.edb in as well as windows.edb file

Command line is esentutl.exe /r mss -d (i think)

ReplyQuote

Page 2 / 2 Prev

8 Forums
15.7 K Topics
92.3 K Posts
291 Online
41.1 K Members

Forum Icons: Forum contains no unread posts Forum contains unread posts

Topic Icons: Not Replied Replied Active Hot Sticky Unapproved Solved Private Closed