Notifications
Clear all

Questions I

3 Posts
3 Users
0 Likes
304 Views
(@buchi29)
Posts: 5
Active Member
Topic starter
 

I am new to Forensics and was wondering if anyone know the answer to these questions

1. You have a custodian and they copied some information to an external drive but you are not sure which external drive it is on and they gave you 5 ext drive and 1 thumb drive…in Encase how can you tell which drive the data was copied too by a specific person?

2. You are doing a copy from laptop to laptop and you need to find exactly what ext drive the data was copied too but without Encase how can you tell where the data was copied too and by whom?

Thanks
B

 
Posted : 28/04/2009 10:43 pm
(@bithead)
Posts: 1206
Noble Member
 

1. What files did they give you on the drive? If it is just some "generic" copy of files I see no way to tell where the files came from or who copied them to the drive.

2. Can you look at the source laptop?

 
Posted : 29/04/2009 6:07 am
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

Both questions appear to be the same, albeit one is using EnCase and the other isn't.

File copy operations are not logged by most major operating systems. You can tell which of the ext HDD had been connected to a system and when, but if all they did was copy (did not view the files once they had been copied to the external media), there is really now way to tell from just the host system which files were copied.

What you'd need to do is perform a timeline analysis of the data on the host system, as well as on each ext HDD. From there, match up filenames based on sizes and hashes, and examine the MAC times (and other file times, based on the file system used) and attempt to determine the source and destinations of the files in question.

HTH,

h

 
Posted : 29/04/2009 7:11 am
Share: