Identifying Files Copied to USB Device

Forensic noob here,

Then Welcome. )

Working on a case (one of my first) where the client wants us to identify if a user copied any files to USB devices. We're using IEF and I've identified the USB devices that were plugged into the device but cannot figure out if any files were moved onto them. I've been navigating the software for a little while with no luck as to how I can locate this information.

Any help would be appreciated, thanks.

UNsurprisingly, this is a quite common/recurring topic, but also a rather "large" one and your question lacks a number of (needed) details, basically and at the very least the OS and filesystems involved.
Do a google search for
"files copied to usb sitewww.forensicfocus.com"
(without the quotes) and you will find several threads revolving around the matter, please do have a look at them, then if you have more specific questions, I am pretty sure that someone will be able and willing to answer them.

jaclaz

Forensic noob here,

Working on a case (one of my first) where the client wants us to identify if a user copied any files to USB devices. We're using IEF and I've identified the USB devices that were plugged into the device but cannot figure out if any files were moved onto them. I've been navigating the software for a little while with no luck as to how I can locate this information.

In addition to what's already been stated, I want to know why your supervisor/boss accepted this work to begin with.

Forensic noob here,

Working on a case (one of my first) where the client wants us to identify if a user copied any files to USB devices. We're using IEF …..

Do you want to make an IT Forensic analysis or just fire up one of the well-known software suites? I can not count how often i have analysed foreign memory dumps, disc images and USB devices *before* serving to my first customer.

best regards, Robin

PS MFT

I am still curious as to why someone sat down across from a client and said, "yeah, we can do that for you…"…

It will still be a critical issue because hitec companies concern about their Intellectual Properties and business secrets. They are willing to pay lots of money for lawsuit and forensics as to get those suspects caught.

My suggestion is they should deploy monitoring mechanism or content filter gateway. It will be easier to achieve their goals. The reason is there is so called "Copy artifacts" and if suspect just copied files and folders into external usb devices, and did not "touch" those files/folders in that usb devices, there won't be no shellbag or jumplists or lnk artifacts associate that copy events.

That's why it is difficult for forensic guys to identify whether files/folder being copied to external usb devices or not. All you know is that suspect did plug some external usb devices that time,and then? Not sure what happen then.

You guys could take a look at my blog to see how monitor mechanism for above issue.
http//www.cnblogs.com/pieces0310/p/4925782.html

My suggestion is they should deploy monitoring mechanism or content filter gateway. It will be easier to achieve their goals.

I guess we got your idea by now ) , still it won't in any way help the OP with the actual problem he posted about roll just to keep everything as together as possible
http//www.forensicfocus.com/Forums/viewtopic/t=13543/

jaclaz

I can't agree more with you jaclaz. There is no easy way to solve this problem. But it's not forensic guy's fault, not forensic tools' fault either. So my suggestion is if you really want to know whether files/folder copied to external usb devices or not, the best way is to deploy monitoring mechanism or content filter gateway. Or you will always got few indirect evidence.

Of course Windows knew what happened that time when files/folders copied to external usb devices, but Windows did not record this event or left any audit logs about this event. That's not Operation System's main task. Also forensic tools could not tell you the answer that they could not "see" on the evidence computers. That's what I want Corrsta to understand very clearly. Welcome to the real world.

I can't agree more with you jaclaz. There is no easy way to solve this problem.

Look ) , I know that I am getting older and particularly grumpy evil , but the WHOLE point is that the OP problem is NOT "How can I log people copying files to USB devices?" (to which your "solution" may apply) .

The problem in this thread is "Someone (supposedly) ALREADY copied some files to USB devices, how can I prove it/find traces of these events?"

The poster is NOT an IT administrator of a firm (you should propose your suggestion to them corporate IT guys, not to digital forensic investigators), he is a forensic investigator and has to work with the ALREADY EXISTING data he can find.

Since there is no specific built-in logging of the operations in the OS all can be found is - maybe and it depends on the OS, the way files were copied, the filesystem, etc., etc. - some indirect evidence.

Still a full timeline, connected devices, file access times, shellbag analysis, combined with other "external" sets of informations (working times, accesses to the office or to the PC,camer recordings, eyewitnesses, etc.) might be enough for the scope of the investigation (or it may be not).

jaclaz

I agree, jaclaz…there are plenty of locations from which to gather indirect evidence and potentially provide insight into the answers being sought.

However, I would suggest that at that point, you're getting into an area of data interpretation that is beyond the scope of ability for the OP and his manager. I'm not trying to disparage the OP…nothing could be further from the truth. I still believe that this should never have been taken on or assigned to the OP…and that falls on the manager's shoulders.

Given the circumstances, the issue of data interpretation at this point is one that pushes this particular analysis outside the realm of the OP's experience.