On Windows XP, is there any way of proving that a certain set of files was copied to an external drive and we do not have the external drive.
On MS Outlook, is there some kind of log that tracks individual e-mail backups? E.g. export to a .msg file.
To answer your first point - no.
Your second point - I don't know. But you could quickly test this yourself.
Thanks Jon.
On Windows XP, is there any way of proving that a certain set of files was copied to an external drive and we do not have the external drive.
How would you go about showing something like that?
On Windows XP, is there any way of proving that a certain set of files was copied to an external drive and we do not have the external drive.
Yes and no. Mostly no.
You may get lucky and the user may view the external device using Windows Explorer in which case you may find artefacts in the registry (if, for example, the Window viewing the external drive was resized.
If the files on the external drive were opened, you may be able to recover link files from Windows restore points or the user's directory and infer the direction of copy from the MAC times of the link files and source files.
But both of these methods simply allow you to infer that a copy was done. There is no reliable way to detect all files which may have been copied.
If the external device was a CD/DVD, there may be some evidence in the CD Burning folder if Windows copy and paste was used.
How would you go about showing something like that?
Right now, I've got the list of USB devices from USBSTOR and the timestamps. And I'm going to try to filter out all the files / folders whose access times are close to that and see if any of the files could be documents that are relevant to this case.
There was suspicion that the suspect would have gone through a frantic copying / deleting process after he was requested to surrender his laptop.
Yes and no. Mostly no.
You may get lucky and the user may view the external device using Windows Explorer in which case you may find artefacts in the registry (if, for example, the Window viewing the external drive was resized.
If the files on the external drive were opened, you may be able to recover link files from Windows restore points or the user's directory and infer the direction of copy from the MAC times of the link files and source files.
But both of these methods simply allow you to infer that a copy was done. There is no reliable way to detect all files which may have been copied.
If the external device was a CD/DVD, there may be some evidence in the CD Burning folder if Windows copy and paste was used.
Thanks sean. I'll see what I can find from the restore points.
I'm pretty green still, but couldn't he find something in pagefile.sys, because the copy command would need memory to work, so the contents of the files as they were being copied would have been in RAM at some point and from what I can gather the pagefile.sys moves this memory around. Definitely correct me if I am wrong.
How would you go about showing something like that?
Right now, I've got the list of USB devices from USBSTOR and the timestamps. And I'm going to try to filter out all the files / folders whose access times are close to that and see if any of the files could be documents that are relevant to this case.
Interesting approach. Something to think about…does finding files with access time close to those that correspond to a thumb drive being connected to the system necessarily indicate that those files were copied to the thumb drive?
There was suspicion that the suspect would have gone through a frantic copying / deleting process after he was requested to surrender his laptop.
How would you go about showing something like that?
Right now, I've got the list of USB devices from USBSTOR and the timestamps. And I'm going to try to filter out all the files / folders whose access times are close to that and see if any of the files could be documents that are relevant to this case.
Interesting approach. Something to think about…does finding files with access time close to those that correspond to a thumb drive being connected to the system necessarily indicate that those files were copied to the thumb drive?
Well, if anyone needs case law in this regard, I was involved in litigation in which, during pretrial motion hearings, the plaintiff's expert argued that the fact that the files found in a folder on the C\ drive named "Flash Disk Files" having the same last accessed date as that of a known attached USB memory stick was evidence that the files in the folder had been copied to the USB device.
On cross examination he admitted that he could not say, for certain, if any files had actually been copied, only that the files had been accessed in one way or another during the time that the USB device was attached. Further, he admitted that the files could have moved from the flash drive to the C\ drive, which was the opposite of what he was trying to prove.
The judge decided that rather than excluding the testimony the jury would be allowed to hear about the access times and the times of USB attachments and that the question of the expert's opinion could be addressed through cross-examination and the testimony of a rebuttal witness.
Somewhat more significantly, the expert had said in an affidavit that the only explanation for the concurrence of dates and times was bulk copying of files, a statement he was forced to retract under cross-examination. The defense then used this to suggest bias on the part of the expert.
The bottom line is don't say more than that which the evidence supports, at least not under oath. Concurrence is not causation.