OK we have used FTK 3 and found evidence pertaining to a case we are working on. The thing of more importance is we have probably 150 files with timestamps from 845am until 848pm. There is no way that many documents could have been "accessed" during this time. We have looked in the registry but I was curious if we did a timeline or anything would in show what drive letter they were copied to etc etc?
Please advise, this is the bedrock to the case
You are not giving a great deal of information - which timestamp are you for example talking about and of what particular action are you trying to find evidence of? Which operating system (assuming a Windows flavour as there is a mention of the registry)? Etc etc.
As you are referring to 'accessing' of files I assume you mean the 'accessed' attribute. Regarding your 'no way that many documents could have been accessed 150 documents in 12+ hours is not an incredibly large number (or did you mix am and pm and should it be 3 minutes?) - at least not large enough to state that there is 'no way' that they could have been accessed.
And did you check what the virus scanner (if any) does during a scheduled scan - maybe that 'touches' the file and changes the file attribute accordingly? In that case even 150 files in 3 minutes might not be a strange thing.
I think a little more info might help because my crystal ball is giving errors now 😉
As Harlan has mentioned in another forum, please state the OS Version, including SP level.
Windows does not log file copying but there may be artefacts of this in the Windows registry (such as what might be caused by resizing the Window to view the contents of the device), as well as System Restore Points.
On the other hand, a few things have been known to change last accessed times besides copying (AV scans come to mind), so make sure that there aren't other files on the system in unsuspicious locations that do not show the same pattern of mass access on the same dates. Look also for programs run at the same time (check the registry and event logs, as well as any logs for backup devices, etc.)
What you will be left with is circumstantial case, but you want to be sure that other explanations have been ruled out.
How about try what you posted about a "timeline" and the results from it, and then people can help with a more educated response.
Not really sure what this statement is saying though…
"but I was curious if we did a timeline or anything would in show what drive letter they were copied to etc etc?"
MY apologies, I was leaving for an appointment and was in a hurry!
Have a situation with an employee who possibly copied over 150+ files from 845am to 849am. I said PM prior sorry. At any rate, FTK is showing a last access time for most of these files within this tight time frame so my assumption would be they were copied to an external drive.
I have checked the registry and located a device under USBstor but it's showing a WD 320 SATA drive which I found odd unless this was like a free agent to go device?
Regardless, I was wondering if there is anyway to do a timeline or do something to show that this individual did indeed copy these across knowing that they may be getting terminated? I have checked for .lnk files and haven't had much luck.
This is a Windows XP Professional, Service Pack 3 laptop.
Not all of the files in "my documents" show this access time but probably 70% of them do for both files and folders.
Assumption is this individual was tipped off by another employee and was copying documents across right after but we want to be for sure.
Have a situation with an employee who possibly copied over 150+ files from 845am to 849am. I said PM prior sorry. At any rate, FTK is showing a last access time for most of these files within this tight time frame so my assumption would be they were copied to an external drive.
Do you have anything to validate that?
I have checked the registry and located a device under USBstor but it's showing a WD 320 SATA drive which I found odd unless this was like a free agent to go device?
Okay, so, did you check the DeviceClasses subkey, and the MountPoints2 subkeys, to determine the most likely time that the device was most recently connected to the system?
Regardless, I was wondering if there is anyway to do a timeline or do something to show that this individual did indeed copy these across knowing that they may be getting terminated? I have checked for .lnk files and haven't had much luck.
When someone's copying files, there won't be .lnk files.
And the answer to your question, re timelines is, "of course". There are a number of ways to create a timeline of pertinent data. One would be using the SANS SIFT workstation and log2timeline; another would be using the tools that I've provided. However, I'm not sure how useful that would be to you.
When someone's copying files, there won't be .lnk files.
However, the folder in which the files are contained, will be accessed, and thus a link file created.
So, if all the files in question are in C\Hidden Files\Secret Stuff, then there will be a link file for the Secret Stuff folder, and it's internal dates should line up with the dates of access of the files.
In addition to link files, review the Index.dat files for localhost records.
With all that said, going back to the OP, have you verified that there is not an active virus scanner? A malware scanner? And are any other files on the drive accessed just prior to, or just after the files in question?
FTR, the only definitive way to prove that files were copied to an external drive is to examine the external drive.
However, the folder in which the files are contained, will be accessed, and thus a link file created
Are you sure about this? I've just run a quick test in XP Pro SP3, opening folders doesn't seem to create a .lnk file in my RecentDocuments. Opening a specific file in a specific folder does create a .lnk to the containing folder as well as to the file, but copying the file doesn't seem to create either.
I see we're both Newbies - any Seniors out there care to lend a hand?
That is interesting because I have seen it before on XP.
To the OP, another place to look to see what may have been on the external drive is the ShellBags. See the post on the SANS Blog here
http//
Have a situation with an employee who possibly copied over 150+ files from 845am to 849am. I said PM prior sorry. At any rate, FTK is showing a last access time for most of these files within this tight time frame so my assumption would be they were copied to an external drive.
What other activity can you document occurred in that same time frame consistent with this hypothesis? This is going to be a circumstantial case, at best (unless you find the external device), so in the absence of affirmative evidence you'll need to eliminate all reasonable alternatives.
I have checked the registry and located a device under USBstor but it's showing a WD 320 SATA drive which I found odd unless this was like a free agent to go device?
Free Agent drives are usually identified as such, however, it is possible. Another possibility is something like the Thermaltake SATA shoe which is USB (or eSATA for newer versions), attached and allows you attach internal SATA devices. When this is used, the USBSTOR records the drive details rather than the shoe details.