Track USB activity

The approach that Jonathan Greir presented at DFRWS last year (looking for patterns rather than direct artifacts) might be useful
Slides and paper. He will also present on this topic at Blackhat this year.

Jelle - thanks very much for that!

Excellent, thanks Jelle.

The approach that Jonathan Greir presented at DFRWS last year (looking for patterns rather than direct artifacts) might be useful
Slides and paper. He will also present on this topic at Blackhat this year.

That is an interesting paper. He addresses the fact that Windows does not update the last accessed timestamp by claiming that Windows does update the last accessed timestamp. At least for Windows 7, I found this assertion to be inaccurate.

I did a quick test using Windows 7 running on an NTFS partition. Copying a folder to a USB drive did not update the last accessed timestamp on any of the files or the folder. I simply dragged the folder to the USB drive using Windows Explorer, much like most people would. Maybe this works on Windows XP, but I'm seeing less of Windows XP and more Windows 7.

The method probably works with *nix installations, including OS X, but I don't see it working for modern Windows installations unless Windows has been specifically configured to track last accessed time.

Here are a couple of other LNK parsing tools, one freeware (for research/personal use I think), and the other is free open-source. Looks like you could use either one of these to parse each volume and then quickly search the output.

http//tzworks.net/prototype_page.php?proto_id=11

-or-

http//code.google.com/p/lnk-parser/ (this is excellent, btw)

Sidenote to Harlan – I never tire of reading your thoughtful responses to people's real-life practical problems.

very helpful, thanks for the links!

Happy to help out. I'm a big fan of using free tools (especially open source) to validate results.

That is an interesting paper. He addresses the fact that Windows does not update the last accessed timestamp by claiming that Windows does update the last accessed timestamp. At least for Windows 7, I found this assertion to be inaccurate.

This is a very important point. I looked at the presentation that was linked to, and had a hard time making heads-or-tails of what was being said. I went back through the paper again, and didn't see where the version of Windows being tested was specified. This would be very important, as Bulldawg has pointed out, because as of Vista, updating of file last access times was disabled by default. This applies primarily to normal user activity, such as opening and editing files, but seems to also apply to copying.

For example, I have a file in a folder on my C\ drive (Windows 7), and using "dir /ta", I see that the file last access time (from the $STANDARD_INFORMATION attribute) is listed as "11/28/2011 1000pm". I copied (using the copy command at the command prompt) that file to another volume, and last access time of the resulting file is today's date, and the time at which I executed the copy command. However, the last access time of the file that was copied remains the same.

I did a quick test using Windows 7 running on an NTFS partition. Copying a folder to a USB drive did not update the last accessed timestamp on any of the files or the folder. I simply dragged the folder to the USB drive using Windows Explorer, much like most people would. Maybe this works on Windows XP, but I'm seeing less of Windows XP and more Windows 7.

Agreed, I see similar behavior.

I would suggest that one of the few means for detecting copies is if the user opened the file after copying it to the USB drive. You'd like have a LNK file in the Recents folder, a Jump List entry for the application, and, depending upon the application itself (MS Word, etc.), several Registry entries.

keydet,
Thanks for chiming in.

I've had some non-technical people come to me with this paper thinking they've found the holy grail of data theft forensics, so this continues to be a bit of a thorn in my side since I have to explain to them why this doesn't work.

I'm going to do some more research to verify, but I don't think Mr. Grier's method works on modern Windows installations. I wish it did.

Good discussion so far )

Based on section 2, I think the testing in the paper was done using Windows XP. It seems the paper does recognize (in section 9) the limitations in newer versions of Windows - even quoting prior work from a certain 'Carvey' 😉

Fully agree with the observed shortcomings of the method. In general I still very much like the approach of not looking only at an individual artifact but also at wider trends/patterns - but surely not the holy grail to the 'find evidence button' (yet?)…