Also interesting. Maybe I've not used the correct terminology - I'm tasked with establishing whether business data files were accessed on external media (i.e. not the internal drive).
By this, do you mean not only storage physically connected to the system (via USB, etc), but also network drives?
So, those sources of information are surely a reasonable place to go? Plus internet browsers? Amnd corporate email? I don't have any of the user's external devices, one thing we try to do is tie access to specific devices and refer to them in any correspondence
If it were me, I'd not all of the externally connected devices as part of my analysis, but when responding to the client, I'd be sure to initially provide on those on which the user accessed files.
Just to recap, I just noticed some events in passing which I didn't understand, wanted to understand, ran some tests, couldn't marry up what I was seeing, did a little digging, then posted a question on here. Doesn't affect whether and what was accessed, maybe casts some doubt on when if it was possible to show a pattern of time changing.
Unless the time changes were significant (days, weeks, months) and could be definitely tied to something the user did, if it were me, I'd focus on the goals I was tasked with.
Is there no context arising from the fact that there were no NTP events on or even around 30th May which is the date I mentioned in the original post? Just asking.
As you haven't been able to determine what was leading to the time changes you noticed, I would suggest that no, simply stating that there were no NTP events on a particular date is really no context at all. Again, I'd go with as complete a timeline as possible, and then focus on what was happening "around" the time change events.
Harlan, your early response on a national holiday is noted and much appreciated )
By this, do you mean not only storage physically connected to the system (via USB, etc), but also network drives?
To be precise (always good ) )we would be concerned with access to business files on media not under the control of the organisation - I think that does it? So access to a network share is not a concern. Dropbox and similar would be.
If it were me, I'd not all of the externally connected devices as part of my analysis, but when responding to the client, I'd be sure to initially provide on those on which the user accessed files.
Did some words get missed out?
Thanks again
If it were me, I'd not all of the externally connected devices as part of my analysis, but when responding to the client, I'd be sure to initially provide on those on which the user accessed files.
Did some words get missed out?
Thanks again
At a guess I would say just three letters )
At a guess I would say just three letters )
You got me there - I'm guessing that "not" should be "note". But there's a huge variety of verbs you could pop into "I'd be sure to initially provide on those on which the user accessed files"
At a guess I would say just three letters )
You got me there - I'm guessing that "not" should be "note". But there's a huge variety of verbs you could pop into "I'd be sure to initially provide on those on which the user accessed files"
I'm going for
"I'd be sure to initially provide only those on which the user accessed files"
I'm going for
"I'd be sure to initially provide only those on which the user accessed files"
Good spot - I did of course mean nouns (
To be precise (always good ) )we would be concerned with access to business files on media not under the control of the organisation - I think that does it? So access to a network share is not a concern. Dropbox and similar would be.
Okay, that makes sense.
I'd go with a timeline…and would only need a limited number of data sources to build the picture.
There is no evidence of the datetime.cpl having been accessed so I'm wondering how one can explain these types of events?
Or perhaps there is, in "Microsoft-Windows-DateTimeControlPanel%4Operational.evtx