And you can say that about pretty much anything
True, but we're not asking him to scour the internet for a written confession. If you've got nothing else, I think looking at .lnk files could be beneficial.
Sure, you'd get the path with the filename, but that isn't what the OP asked; ie, "…is there anyway now to try and see what may have been copied off of the target computer…"
So… if the path shows anything other than local drive, wouldn't that be a clue the file was copied off somewhere? I know it's not the direct route he was looking for, but I'd say it was a start.
But you're right, in this case I guess I am assuming that the filenames would stand out as being obvious that they shouldn't have been seen anywhere other than the local drive. )
> …wouldn't that be a clue the file was copied off somewhere?
Not necessarily. Windows doesn't record or log file copies or moves. Having a shortcut with the file name and a path pointing to an external device isn't a definite indicator that the file was copied to or from that device…it could be an entirely different file altogether.
One thing you could do is use the file MAC times recorded within the LNK file to say that it was _possible_ that the file was copied *and then opened* (ie, MS has a KB article that thoroughly describes the changes to file MAC times during moves and copies across and between file systems), but you'd still be left with the question of, is this the same file? Without the device itself, or even so much as a file hash, you are going to have trouble proving this.
> …in this case I guess I am assuming…
Well, I'd suggest that there's more than that being assumed. The OP asked about logs of files being copied…while it's a good idea to point out that *IF* the suspect opened the file before or after the copy, there *may* be an LNK file available, I don't think I'd necessarily start there. if you do, it sounds like you're trying to say that LNK files are created via the act of copying, rather than opening, the file.
That is not to say that under the right circumstances, LNK file aren't excellent sources of data (or evidence)…they are.
H
> Look for .lnk files
And what would that accomplish? I've tried drag-and-drop, 'copy' and 'move' commands, etc., and I don't see any LNK files created as the result of copying files from a system to a thumb drive (which is what Matt is asking about).
Keydet89,
You are correct in saying that copying files etc does not create lnk files, but if you copy files to a usb thumb drive and then open one of the files on the device windows will create a link file on the computer. A lot of users open files to see if they copy correctly so its always good to look just in case.
A
Alan, et al, it still doesn't prove the files were copied out.
I would still like to be able to prove that certain documents were copied out.
read "prove"
If it's any use to the OP, I've found links before now that show files on an external hard drive have been accessed from the PC in question.I'd agree that this was useful in ascertaining an external device was accessed, and then , having found an external device with the same criteria, corroborating evidence lead us to a certain person.
now here i'm with keydet on this one.
It did not, however *prove* that the files were copied out from that PC, only that they were accessed. it turned out that the file names matched those stored on another PC altogether. a third party device was used to keep a portable copy.
If we had sought to *prove* the person on the acquired PC copied them out, via a lnk, we would have been wrong. The actual file originator turned out to be the netadmin using someone else's PC and login and a portable drive as his … uuuuh … "stash" to show other ppl. useful yes. proof of transfer no
kern
Alan,
> …if you copy files to a usb thumb drive and then open one of the files on
> the device windows will create a link file on the computer.
Right. Exactly. 100% correct. But again, that's not what the OP asked
"…but is there anyway now to try and see what may have been copied off of the target computer onto this ext HDD?"
It's a nice piece of information to have and to know, though.
> …A lot of users open files…
I have yet to see this. Most times, I've seen where users open Windows Explorer to see that the file is there, but I have yet to see where they've opened the file itself on the thumb drive to see if the entire contents were copied over. But that's just my experience.
>As far as determining the Serial #, I used USBDeview and just added a >command line of "USBDeview.exe /regfile "d\windows\system32
>\config\SYSTEM"".. worked like a charm.
Hi Matt, found this application very useful. I need to find out what were mounted on an EnCase Image file, is it possible?
If possible, can advice on how to do it?
now here i'm with keydet on this one.
It did not, however *prove* that the files were copied out from that PC, only that they were accessed. it turned out that the file names matched those stored on another PC altogether. a third party device was used to keep a portable copy.
If we had sought to *prove* the person on the acquired PC copied them out, via a lnk, we would have been wrong. The actual file originator turned out to be the netadmin using someone else's PC and login and a portable drive as his … uuuuh … "stash" to show other ppl. useful yes. proof of transfer no
I agree but its a starting point, if you can link the drive letter to the serial number of the usb device in USBSTOR then you can say that the file existed on that device. BUT you would need to know that the device belonged to the suspect.
A
bluedragon,
As far as I know, you cannot use USBDeview on image files. However, if you open up Encase and extract the appropriate file out you should be able to use the same command line I did for accessing the external file.
While in Encase, navigate to "Windows\System32\config" on the suspect hard drive. You are looking for a file called "system" or "SYSTEM". It will have no extension; do not get it confused with the system.txt or system.sav files.
Extract the "system" file to anywhere on your local computer, thumbdrive, wherever is most convenient.
Once this is complete, open up command prompt. Change the active directory link to one containing 'usbdeview.exe'. Be sure to know the location as to where to placed the 'system file'. Please note that The quotes are necessary when pointing to the external system file.
usbdeview.exe /regfile "C\folder\case files\system"
Obviously sub in the path of the file as seen above to the one where the system file is stored.
This, if done correctly, will pull up a list of all of the USB devices connected to that drive. Please advise if you have troubles with this solution. Good Luck.
Matt
Matt,
Is cool, I try what you taught me and is working. Thanks alot. D
BlueDragon
[quote="keydet89]
Okay, but that's the really easy part. Remember, you asked "…is there anyway now to try and see what may have been copied off of the target computer". So, try it. Copy some files off a system onto a thumb drive. See any "evidence" created? Shortcut files? How about if you run FileMon at the same time…see anything that looks like a log being created?
H
Have anyone looked into running tests in a sandboxed environment and examining contents of a sandbox afterwards? In this particular case, shell may be run sandboxed. After copying is conducted, sandbox may be looked into. It should hold all data written to the hard drive - i.e. temp files, registry keys, and the actual data.
How reliable this sort of analisis is?