log2timeline / file...
Clear all

log2timeline / file copy activity question

2 Posts
2 Users
Posts: 5
Active Member
Topic starter

I recently used SIFT and log2timeline on a Windows 7 Enterprise hard drive for an investigation into internal Intellectual Property (IP) theft. In my timeline, I isolated a group of 30 files that may have contained IP data that all shared a M (modified) time of 837am on 1/11/15. What's strange about those files is they are spread across 2 different file shares.

Although, there is no indication that the individual in question had rights to copy files to usb from their local workstation (because of a group policy lockdown), there seems to be something significant about this, but I cannot put my finger on it. My gut is telling me that a copy action is involved, but with no webmail or usb activity visible in the timeline or on disk, I don't know where to look so that I can prove that.

Has anyone had the same experience or know anywhere else on the drive to find other pieces that can tell the story?

Thanks in advance

Posted : 11/08/2015 11:38 pm
Posts: 3578
Famed Member

A bunch of files with last modification times that coincide doesn't necessarily indicate a file copy operation. In fact, on WinXP, I'd be more interested in files with last accessed times that were close, not last modification times. Files being modified doesn't indicate a copy operation…it may indicate something else, though. It would really depend on what else is in your timeline.

By default, Windows systems don't 'record' file copy activity. I'd suggest that looking at last modification times is the wrong trail to go down.

Posted : 07/11/2015 5:02 pm
Share to...