Here is what I have found regarding this drive
DeviceDesc USB Mass Storage Device
location information USB-Sata Bridge
HardwareID USB\Vid_4971&Pid_ce15&rev_0100 usb
class USB
Service USBStor
The internal drive I have verified to another serial number obviosuly and it's accounted for. This drive is the questionable one. Doing research on google it appears it could be an external hard drive that was used to possibly copy documents to but as you did say it's circumstancial evidence.
Here is what I have found regarding this drive
DeviceDesc USB Mass Storage Device
location information USB-Sata Bridge
HardwareID USB\Vid_4971&Pid_ce15&rev_0100 usb
class USB
Service USBStorThe internal drive I have verified to another serial number obviosuly and it's accounted for. This drive is the questionable one. Doing research on google it appears it could be an external hard drive that was used to possibly copy documents to but as you did say it's circumstancial evidence.
If you run USBDeview, you'll find out when the USB drive was first plugged and a record created in the Registry. Most important, USBDeview will tell you when the device was last plugged - and also timestamp. If last plugged date is the same date as the date when the files were supposedly copied, you are getting close.
Whether you have a dat match or not, look at the Cache. You may be able to find the locations the user visited to allegedly copy files.
Whether you have a dat match or not, look at the Cache. You may be able to find the locations the user visited to allegedly copy files.
Can you specify the location of the "Cache"? Also, if the user reportedly copied files to the ext USB drive, what locations are you referring to?
HOw would I go about doing this on a E01 Image?
However, the folder in which the files are contained, will be accessed, and thus a link file created
Are you sure about this? I've just run a quick test in XP Pro SP3, opening folders doesn't seem to create a .lnk file in my RecentDocuments. Opening a specific file in a specific folder does create a .lnk to the containing folder as well as to the file, but copying the file doesn't seem to create either.
I see we're both Newbies - any Seniors out there care to lend a hand?
I wouldn't worry about the tag of Newbie, you have just reported back on a factual basis the results of some testing that you have done. That is one of the main ways that we can learn.
I would agree with your findings and these are replicated on my Vista machine. As Harlan also says, copying a file doesn't create a link file.
(The caveat being that is by copy and paste and drag and drop, if you were to open a file and then save as, in a different location that would be a different matter!).
H
OK we have used FTK 3 and found evidence pertaining to a case we are working on. The thing of more importance is we have probably 150 files with timestamps from 845am until 848[am]. There is no way that many documents could have been "accessed" during this time.
'access' in this context does not necessarily mean 'opened by the user'. It means opened as a file by software – at least in some cases.
For example in a very quick test, I found that the following operations, performed in order on a number of test text files, followed by a reboot, modify last access time stamp on a standard Win XP
Double-clicking on a file, and closing the Notepad window using the 'X'.
Right-clicking on another file, and selecting 'Print'
Right-clicking on yet another file, and 'Send to desktop'
However, dragging and dropping a single file (still another one) on A did not alter last access on the original file, nor did select, copy, followed by paste on A change the last access on the file on C .
So … if the files you mention are .TXT files, perhaps they were sent to a printer. or perhaps they were copied from the external unit to the disk where you found them. Or perhaps they were subjected to some other operations I haven't tested – say, dragged into a mail as attachment, selected and send to a WinRAR archive, or a DVD-writer, or … etc.
(I did test to scan one file with Microsoft's AV scanner, but it didn't alter anything.) Actually, I'd probably want someone else to follow my test protocol as well, just to make sure I'm not taking some odd shortcut here and there. And … I'd probably want to try to do all tests in one go, and also do all tests one by one with a reboot in between each. If there should be a difference, it is going to confuse things.)
Exactly what operations should be tested probably depend on what tools and applications are on the system and the user account you are examining. Some of the tests should be done in the DOS window – others, perhaps from a Remote Console. And one test, probably performed separately, should be to just let the system alone for a week or so, noone touching, and see if anything else than user action may change the last access time.
But perhaps I'm kicking in open doors.
In your case, I think you should formulate your scenario (what happened with these files), and try it out. Does it account for the timestamps and other artifacts you see or not?
Booting the laptop back up and letting it sit or whatever probably isn't a good idea with chain of custody I would presum. With my inexperience maybe this is a wrong assumption? I have 3 copies of the image and the drive in the safe as well.
Additionally, I did a full data carve on the drive and the .lnk files are showing up with the times of 842am to 848pm like I mentioned previously. In addition it looks as if the USB drive that was thought to be plugged in around that time has a last written time (in registry) of 840am where the files have last accessed time of 842am to 848pm so I guess it probably shoots this scenario in the foot?
Any other thoughts?
Additionally, I did a full data carve on the drive and the .lnk files are showing up with the times of 842am to 848pm like I mentioned previously.
What link files? Where are they located? What is their contents?
In addition it looks as if the USB drive that was thought to be plugged in around that time has a last written time (in registry) of 840am where the files have last accessed time of 842am to 848pm so I guess it probably shoots this scenario in the foot?
Where are you looking in the registry to get the last written time for the external device?
These lnk files are pointed to the same directory as the document itself, for example, all of these documents are in My Documents. The lnk file relative path is pointed to this directory as well.
The registry location was
device classes (with the s/n of of usb external mass storage drive)
also Controlset001…Enum…USB…etc
Furthermore, the last written time in the registry is 84225am and the files along with lnk files in my documents start at 84233am and continue to 84912am. When I say files, there are a lot of files! Just over 400 Word Files, lots of pictures, PDF's all with similar time frame within this 7 minute time frame.
Additionally, not all of these my documents were accessed probably 80% of them.
I
Where are the lnk files located? Documents and Settings/%userprofile%/Recent? Also, what is the creation date of the lnk files? Do they correspoind to the last accessed date of the documents?
For example;
Do you have a "Document and Settings/testuser/Recent/TestDoc.lnk" which was created at the same time as "Documents and Settings/testuser/My Documents/TestDoc.doc" was accessed?
If that is the case, then it is fairly strong evidence that the current user was opening these files. Personally I can't think of any program which runs in the background and changes not only the last accessed time but creates a lnk in the Recent directory.