I have a case I am working on that has me stumped, so I am looking for some fresh insight to my problem.
Let me first start by saying this is in a corporate environment so a network will come into play and Microsoft xp machines. We have recenly installed a "home grown" service on all our corporate machines that detects when a USB device is plugged in and then proceeds to make an encrypted copy of all files that are on the USB device and dumps them to a folder in the root directory of windows. Along with that nifty feature we also receive an email notification of the box name, user id that is logged in and the file name being copied.
I have acquired a forensic imge of a machine and am now using Encase to find evidence of files being copied on the machine.
On 2/13 and 2/14 we had a user plug in a Lexar USB thumb drive…I found in the registry that this drive was given the letter E\. The user then went to a drive on the network and copied about 230MB of data to the E drive. Now here is where I am having a problem….I can find no instances of an E drive(other than in the registry) or these files anywhere on the machine. All .lnk files in the recent folder only show a timestamp of 2/15-2/16. Searching Unallocated has not revealed anything from 2/13 or 2/14 either. I find it odd that the .lnk files in the recent folder only go back to 2/15.
So my assumption is that when a user does a "Copy to Folder" from a network drive directly to a USB device that a .lnk file will not be created or any other type of logging…..am I totally off base here?
Any suggestions on where else I can look to find this type of info?
Thanks,
Rong
Rong,
I'm not sure what it is you're expecting to find with regards to copied files.
Perhaps a better way to address this is…can you identify the artifacts left by copying files? If so, what are they?
Thanks,
Harlan
Perhaps a better way to address this is…can you identify the artifacts left by copying files?
I guess this is what I am having difficulty with….I am not finding any artifacts left by copying what-so-ever and I don't know why.
I don't expect to find a full text version of the copied file but I would think there would be a .lnk file or some other trace that a file copy was done. I have found .lnk files in Unallocated pointing to the network drive that shows the path of a file which was copied but no indication it went to a drive E.
[quote="RongI don't expect to find a full text version of the copied file but I would think there would be a .lnk file or some other trace that a file copy was done.
Nope. The files never hit the local drive.
Lnk file usually get created if the docs are opened.
Seems the user did not open the files, only copied them.
Too bad that your "home grown" tool did not monitor files being copied TO the USB drive and copy those as well……..
Rong,
> I guess this is what I am having difficulty with….I am not finding any
> artifacts left by copying what-so-ever and I don't know why.
Well, I'm not sure how to approach this…but what makes you assume that there *are* any artifacts? There's a lot of activity that goes on within Windows that isn't recorded by default.
> I don't expect to find a full text version of the copied file but I would
> think there would be a .lnk file or some other trace that a file copy was
> done.
I'm still at a loss to understand this…while some activities (ie, launching an application, etc.) are recorded in various locations, there is nothing that I'm aware of that specifically points to a file being copied. I've used the 'copy' command at the command line and not seen any forensic artifacts of that activity. Similarly, with drag-n-drop copying of files, as well.
I may be wrong about this, but if you're aware of a specific artifact that can be tied to copying a file, please share it.
> I have found .lnk files in Unallocated pointing to the network drive that
> shows the path of a file which was copied but no indication it went to a
> drive E.
A .lnk file may show that the file was opened…why do you say it was copied? What data is there to support that finding?
I think that the issue here may not be one of the existance of an artifact, but rather one of data to support an assumption.
MS does provide some useful information regarding timestamps when copying files
http//
Even so, if you want to determine if a file was copied from a system to a thumb drive, you would need images of both devices, and then hash the file in question, and compare MAC times.
Please, let us know if there's anything else that we can do to assist.
Thanks,
Harlan
Too bad that your "home grown" tool did not monitor files being copied TO the USB drive and copy those as well……..
Actually it does…I have a copy of all the files that were copied over. That's not where my problem lies…other than our monitorng system that is in place I want another way to show that this usb device was attached during the time the copies took place and maybe, just maybe find something that points to a specific file on the usb drive. I'm not hopeful about this because like you said, it looks like a straight copy went over and they never opened the file on the USB drive.
I'm still at a loss to understand this…while some activities (ie, launching an application, etc.) are recorded in various locations, there is nothing that I'm aware of that specifically points to a file being copied. I've used the 'copy' command at the command line and not seen any forensic artifacts of that activity. Similarly, with drag-n-drop copying of files, as well.
I may be wrong about this, but if you're aware of a specific artifact that can be tied to copying a file, please share it.
Don't be at a loss to understand it, evidentally I'm not explaining my side well enough. I realize that there is nothing that specifically points to a file being copied but one would think that when a USB drive was attached there would be a reminance of this other than just in the registry. Or a .lnk file to either the destination drive or file before or after a copy was done, I find it hard to think that this person didn't access this drive to make sure everything was copied. It's as if these 2 days didn't exist on this computer by the lack of files being found for this time frame.
A .lnk file may show that the file was opened…why do you say it was copied? What data is there to support that finding?
I say it was copied because it was captured and logged by our USB monitoring system and also found on the USB drive itself. That's the data I have to support this finding.
I think that the issue here may not be one of the existance of an artifact, but rather one of data to support an assumption.
Nope, don't need data to support an assumption….we need it to strengthen the fact that these files were copied over to a USB device.
Rong,
I really wish that we were sitting in a pub discussing this over a beer, because there's so much that is missed in just email and posts…
> …but one would think that when a USB drive was attached there would
> be a reminance of this other than just in the registry.
I guess what I've been trying to get at is this…what makes you say this? If a USB drive is attached to a system…no other action than attached…why would you expect there to be artifacts other than in the Registry?
The first time a USB device is attached, the appropriate driver is loaded, and this action is recorded in the setupapi.log file. Beyond that, though, when a device is attached, *why* would there be other artifacts?
Now, let's say a user accessed the drive that the device is mapped to and double-clicks a Word document. The Registry is accessed to determine the appropriate associations for that machine, an LNK file is created pointing to the file in the Recent folder, and entries are created in the RecentDocs key as well as the MRU list for Word itself. An entry is either created or modified in that user's UserAssist key, and if the system is XP, a Prefetch file may be created or updated.
However, if a user copies a file, there don't seem to be any artifacts left. No application windows are moved or resized, so there's no entry in the StreamMRU or BagMRU keys. No entries are added to the UserAssist key, etc.
> Or a .lnk file to either the destination drive or file before or after a copy was done,
Since this started, I've copied files by selecting them and dragging them from one location to another, and haven't seen an LNK file created.
> I find it hard to think that this person didn't access this drive to make
> sure everything was copied.
I don't. Most users I've worked with have a window open with the USB drive and select the file they want and drag it to the USB drive. They see it appear in the target window, and that's the confirmation they have. However, this action doesn't seem to create an .LNK file.
At this point, I'm not sure what to tell you. I've worked with issues before where it appears that the user didn't "do anything" on their system, when in reality they did what they always do…so nothing new was created, although the timestamps on some key artifacts were updated…and those timestamps get overwritten when that action (ie, opening Word, launching an app, etc.) is taken again, and only the last time it occurred is recorded.
H
really wish that we were sitting in a pub discussing this over a beer
MMmmmmm…….beeeerrrr, yeah me too!
I've worked with issues before where it appears that the user didn't "do anything" on their system,
This is the part that is frustrating me, if it wasn't for our service running on the system we would have had no idea this happened. No telling how many other users have walked away with company data.
I get what your saying on how the whole process works, I just came at it from the wrong angle. I assumed that every user was an idiot and would click on anything and everything once copied over. Lesson learned on that!
Other than the file copy, there still seems to be a lot of things that don't seem right about file written/created and accessed timestamps on this machine. I guess now I'll start looking into the possibility the user did a system restore to help hid their tracks. Time to go research this path…
Thanks for your help keydet89.