first of all, I really can't think of any good title for this posting. Bear with me .=)
My client want me to trace whether a classified document was tranferred from the hard disk onto a USB drive. But the very problem that I have now is I only have the hard disk. No USB drive was presented to me.
My question is there any way to find out what files were copied onto a USB drive with only the hard disk?
Is it an XP or Vista (or not of the above) machine?
If its XP this article may help you
http//
Used this on cases before and found a lot of useful information.
look at the recent link files and examine them to retrieve the volume serial no for lnnks that point to documents that are in question (if these lnks exist). It wont prove they were copied but maybe they got opened from the pen drive?
Will the $logfile contain an entry to say a file has been accessed?
In theory, the MFT should be updated, so I might expect a log entry. It won't say why, but should say when.
My client want me to trace whether a classified document was tranferred from the hard disk onto a USB drive. But the very problem that I have now is I only have the hard disk. No USB drive was presented to me.
My question is there any way to find out what files were copied onto a USB drive with only the hard disk?
I think we've covered this here a number of times before, as well as here
http//
The fact of the matter is that under the conditions you've mentioned, there are really no means by which you can provide an accurate answer to your customer.
Yeah, shell bags are great…but they won't tell you which files someone copied from a system to a USB thumb drive.
Same with Windows shortcut/.lnk files…they'll tell you which files someone opened from a thumb drive (via Explorer, navigate to a thumb drive, double click a file, say a Word doc).
And yes, Registry analysis will show you the thumb drives that had been attached to the system.
However, there simply aren't any logs (or, by extension, analysis techniques) that will tell you which files were copied from the system to a thumb drive, under the conditions you've stated.
thanks everyone for the post.
hmm……….. it seem that it's impossible to know exactly, or to prove exactly that a file was tranferred from the hard disk to the usb drive.