USB/CD Files copied logs

On a Windows system? XP?

A default install of XP does not store an historical log of files which a user has copied. lnk files may tell you if files have been accessed on a USB or CD drive though.

As noted, above, the default for drag and drop copy to CD using Microsoft Windows XP embedded cd burning does not not leave a log file, however, there may be evidence of the last burn recoverable from the CD Burning folder located in the user's profile (or in the Recycle Bin).

In addition, programs like Nero and Roxio do create log files. If there is evidence that one of these was used, I'd look more carefully.

As already noted .lnk files can tie in movements to USBs and CDs as they will give you a drive letter plus file name. Worth checking the Recent folder. Examining the appropriate Registry keys will also help verify your findings. Also usefully gives you the make and MAC addresses of any USB devices used (in most cases), plus dates, times etc.

Like seanmcl says, check out the CD Burning folder on XP
http//support.microsoft.com/kb/279157

Also, do what seanmcl says…check to see if there's any other CD/DVD burning software on the system, such as Sonic or Nero, and see what kind of logs or Registry keys may be accessible.

> Also usefully gives you the make and MAC addresses of any USB devices
> used (in most cases), plus dates, times etc.

USB devices don't have "MAC addresses".

Like seanmcl says, check out the CD Burning folder on XP
http//support.microsoft.com/kb/279157

Also, do what seanmcl says…check to see if there's any other CD/DVD burning software on the system, such as Sonic or Nero, and see what kind of logs or Registry keys may be accessible.

> Also usefully gives you the make and MAC addresses of any USB devices
> used (in most cases), plus dates, times etc.

USB devices don't have "MAC addresses".

Unless it's a USB Network Card D .

Unless it's a USB Network Card D .

You're correct, but that doesn't fit the context of the conversation…

Unless it's a USB Network Card D .

You're correct, but that doesn't fit the context of the conversation…

I know, was just razzin ya.

OK. Bad use of term.

I was, as I'm sure most people realised, referring to a USB device's particular identification number (eg. thumb drive) located under Disk&Ven key.

Still, so long as you guys are having fun…

I was, as I'm sure most people realised, referring to a USB device's particular identification number (eg. thumb drive) located under Disk&Ven key.

Ah, okay…the author of "Windows Forensic Analysis" refers to that value as the devices "unique identifier", and in many cases (such as when the second character is NOT a '&'), it is also the device's serial number, which can be found in the device's device descriptor (part of the firmware, not the memory area, of the device itself).

Referring to it as the "MAC address" can be confusing…

HTH,

h