I appreciate your snotty comment, but that's only because it's an assumption. You do not know me or know what I know or the experience I have.
Lol welcome to the Forensicfocus forums - the heavy hitters haven't even weighed in yet.
Unless some specific DLP software is installed, there are no definitive windows artifacts that will show what, if anything, was transferred to USB removable media. People are going to come in here and suggest shellbags, jumplists etc, but without a specific mechanism in place to record which files, files sizes, names etc are being transferred, you can at best surmise that such a copy took place.
For printing - you'll need to get to print server logs. There is a local event log, Win7+ called PrintService (Admin and Operational) but unless a local/group policy has flipped that bit to track the data…
For email, your best bet are the email server logs, OST/PST/local email datastores, network traffic from your environment etc. If she took the laptop home and emailed from there, then you're looking at decoding browsing history, and that's almost 100% HTTPS for email services nowadays.
What about LNK files, assuming this is a Windows system being investigated. The LNK files, if any of the files were run from the target volume, will show metadata about the original files and what drive letter the files were launched from. Then you can see what drive letter was assigned by the system to a specific iSerial Number so that you can show that was the USB device used.
If this is a Mac, would have to look into the journal a bit to see if you can correlate activity to the USBMSC entries in the system.log.
Regarding email, this is why I like using IEF for stuff like this, it can parse through the pagefile.sys and hiberfil.sys for artifacts of webmail.
Thank you guys, it is windows and I can look for lnk files. The Scan I ran with foremost did not find LNK files. There is also no share since this was just a remote computer for the user to use.
You use Log2timeline yet?
https://
You can create a spread sheet of the computer's activity and narrow it down based off dates, artifacts, ect.
No i have not used log2timeline yet. Is it on Kali or do I have to download it and install it? I will look for it after work today. Thank you for your help.
No i have not used log2timeline yet. Is it on Kali or do I have to download it and install it? I will look for it after work today. Thank you for your help.
Take a look at the Sans Sift Workstation https://