Create an account Home  ·  Topics  ·  Downloads  ·  Your Account  ·  Submit News  ·  Top 10  
Modules
· Home
· Content
· FAQ
· Forensic Downloads
· Forensics Feedback
· Forums
· Members List
· Statistics
· Surveys
· Top 10
· Topics
· Training Reviews
· Web Links
· Your Account

Our Membership

Latest: Swantao
New Today: 1
New Yesterday: 0
Overall: 29538

Computer Forensics
This is a free and open peer to peer medium for digital and computer forensics professionals and students. Please help us maintain it by contributing and perhaps linking to us from your own website.

Recent Posts

 is it possible to verify if a HDD was wiped with DBAN
 Forenic artifacts if someone accessed a remote Win10?
 timeline analysis
 Hostile work enviornment
 Can anyone suggest me a topic under printers forensics

Computer Forensics World Forums


Pages Served
We received
56075070
page views since August 2004

Security Sources

FTC
OnGuard Online
ISO 17799 ISO 27001
ISO 27000 Toolkit
ISO 27001 & 27000
Cryptography
Security Policies

Computer Forensics World: Forums

Computer Forensics World :: View topic - Best method of determining if a file has been copied
 Forum FAQForum FAQ   SearchSearch   UsergroupsUsergroups   ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 

Best method of determining if a file has been copied

 
Post new topic   Reply to topic    Computer Forensics World Forum Index -> Technical Issues
View previous topic :: View next topic  
Author Message
gbulger
Newbie
Newbie


Joined: Oct 09, 2008
Posts: 3

PostPosted: Thu Oct 09, 2008 11:06 pm    Post subject: Best method of determining if a file has been copied Reply with quote

I am a data recovery professional but am new to forensics. Pls excuse the probably amateurish question.. What is the most commonly used method of determining if files have been copied from an xp based computer. Can one determine what device the files were copied to?

Thanks,
Gordon
Back to top
View user's profile
Complete
Newbie
Newbie


Joined: Aug 20, 2006
Posts: 287

PostPosted: Thu Oct 09, 2008 11:20 pm    Post subject: Reply with quote

I would love to be corrected if I am wrong, but I don't think there are any artifacts or records of a file being copied. If I drag and drop a file onto a USB drive, there will be no record other than the USB device being plugged in.

It could be possible that someone copied a file to a USB and then opened it from the USB. In this case there will be an LNK file (shortcut in Recent Documents) that is created pointing towards the file on the USB.
Back to top
View user's profile
LAForensicsGuy
Newbie
Newbie


Joined: Feb 25, 2007
Posts: 9

PostPosted: Thu Mar 05, 2009 1:32 pm    Post subject: Reply with quote

You can't really tell if a file has been copied from a computer unless in the strict sense of the word. There are several indicators though. If the file was copied to some type of removable media say a floppy or usb drive and the file was opened from that location there would be a link (.lnk) file to that removable media. You hopefully would have some type of forensic software that could parse out all of the info from all the link files on the hard drive. You would have to look through them and look at the link files to removable media and look for the file name. Does this mean the file was copied? No it only means that a file with the same name as yours was opened from some type of removable media.

If you are lucky enough to have the file in question on the original hard drive and the file on the media it was copied to you could run a MD5 hash on both files with write protection of course. If the resulting MD5 hashes are exactly the same then you know its the same exact file. Does this mean the file was copied to this location? No it means the same exact file exists on both the hard drive and removable media. There are other indicators of course but hopefully you are now headed in the right direction. Good luck!
Back to top
View user's profile
Stan77
Newbie
Newbie


Joined: May 01, 2010
Posts: 4

PostPosted: Sun May 02, 2010 5:49 am    Post subject: Reply with quote

I see this thread refers to "copying" a file from a hard drive to a USB flash drive.

What if a file is removed (cut and paste)? If the file is not opened on the flash drive, what trace of the removal is left behind? How can I find out what files might have been removed by such a transfer to a flash drive?

Also, is there always a record of when a usb flash drive is plugged in to a PC?
Back to top
View user's profile
thomasmp3
Newbie
Newbie


Joined: May 09, 2010
Posts: 15

PostPosted: Mon May 10, 2010 9:06 am    Post subject: Reply with quote

If files are listed in icon view in explorer, it is possible to see the directory structure of a network drive or removable device by viewing these locations in the registry:

HKEY_CURRENT_USER\Software\Microsoft\Windows\Shell\Bags\

HKEY_CURRENT_USER\Software\Microsoft\Windows\Shell\BagMRU\

FTK's registry viewer did a good job linking the paths so you don't have to do so manually.

As for the question about records if a USB device is plugged in, yes it is recorded. Check out HKEY_LOCAL_MACHINE\SYSTEM\MountedDevices,
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\USB, HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\USBSTOR

Note the data in the Select key to find out the current control set.
HKEY_LOCAL_MACHINE\SYSTEM\Select

If you use Encase, message me and I will send you a nice enscript for parsing that stuff out.
_________________
Thomas Ferguson, EnCE
Forensic Examiner
Louisiana Department of Justice
Back to top
View user's profile
Stan77
Newbie
Newbie


Joined: May 01, 2010
Posts: 4

PostPosted: Wed May 12, 2010 8:24 am    Post subject: Reply with quote

Thomas,

thanks for the registry info.

The USB registry info did show all previously connected devices, but unfortunately it didn't show any dates of connection (unless I'm missing something). Can I find a record of those dates somewhere else?

As for registry info on files cut and pasted from one external drive to another- from your post I'm not sure what I was supposed to be looking for in the registry. Any further explanation would be helpful.

I assume even if I can't find a record of a file being transferred off of an external drive, I should at least be able to find the record of when the file was initially written to the drive, even if it was subsequently transferred off, correct? Is this true even if the file was initially copied to the external drive while it was inside a folder with other files (in other words, a folder containing the file was copied onto the external drive, not the individual file)?

thanks.
Back to top
View user's profile
thomasmp3
Newbie
Newbie


Joined: May 09, 2010
Posts: 15

PostPosted: Wed May 12, 2010 10:30 am    Post subject: Reply with quote

Stan77 wrote:
Can I find a record of those dates somewhere else?

You using Encase? Parse the System and Software registry hives. Look at the USBStor. The keys inside have last written values. Those dates are modified when the device is connected. Each device has a subkey with the serial number as the name. A filter of that serial number will return lots of other hits in the registry. I just parse the registry files, then use the File name condition in Encase and paste in the serial number. This returns all keys that have the serial number in the name. You could then analyze all the last written dates for each key.

Also look at the "recent files" links. Those link files contain the volume serial, which you could link to a volume serial number of a formatted removable device. Then you can look at the dates on and contained within the link file.

Don't forget to do the same for registry restore points. Restore points may contain other last written dates for the device in question. You could make a timeline based on the multiple dates.

Note: the volume serial number is not the same as the device serial number.
_________________
Thomas Ferguson, EnCE
Forensic Examiner
Louisiana Department of Justice


Last edited by thomasmp3 on Wed May 12, 2010 10:38 am; edited 1 time in total
Back to top
View user's profile
thomasmp3
Newbie
Newbie


Joined: May 09, 2010
Posts: 15

PostPosted: Wed May 12, 2010 10:34 am    Post subject: Reply with quote

Stan77 wrote:
As for registry info on files cut and pasted from one external drive to another- from your post I'm not sure what I was supposed to be looking for in the registry. Any further explanation would be helpful.

I assume even if I can't find a record of a file being transferred off of an external drive, I should at least be able to find the record of when the file was initially written to the drive, even if it was subsequently transferred off, correct? Is this true even if the file was initially copied to the external drive while it was inside a folder with other files (in other words, a folder containing the file was copied onto the external drive, not the individual file)?

thanks.


You need to look at the MFT records for what I was talking about. Moved file from one volume to another = File marked deleted (sourceMFT), New file (destinationMFT). The MFT entry modified attribute for each volume would be in the same proximity.

Be sure to do a keyword search for the filename on the whole drive. Also make sure your search will find unicoded strings.
_________________
Thomas Ferguson, EnCE
Forensic Examiner
Louisiana Department of Justice
Back to top
View user's profile
Rajatv07
Newbie
Newbie


Joined: Mar 29, 2015
Posts: 1

PostPosted: Sun Mar 29, 2015 10:52 pm    Post subject: Reply with quote

If the values for the registry entry in the Data section match for two distinct drives, does that mean that the file has been copied?
Back to top
View user's profile
PreferredUser
Newbie
Newbie


Joined: Jan 01, 2007
Posts: 1130
Location: USA

PostPosted: Mon Mar 30, 2015 2:49 am    Post subject: Reply with quote

Rajatv07 wrote:
If the values for the registry entry in the Data section match for two distinct drives, does that mean that the file has been copied?
What entry in the Registry do you believe shows a list of copied files?
Back to top
View user's profile
Display posts from previous:   
Post new topic   Reply to topic    Computer Forensics World Forum Index -> Technical Issues All times are GMT + 10 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

Powered by phpBB 2.0.10 © 2001 phpBB Group
phpBB port v2.1 based on Tom Nitzschner's phpbb2.0.6 upgraded to phpBB 2.0.4 standalone was developed and tested by:
ArtificialIntel, ChatServ, mikem,
sixonetonoffun and Paul Laudanski (aka Zhen-Xjell).

Version 2.1 by Nuke Cops 2003 http://www.nukecops.com

Forums ©

 

TMs property of their respective owner. Comments property of posters. 2007 Computer Forensics Science World.
Digital forensic computing news syndication: Computer Forensics Training News or UM Text
Software is copyrighted phpnuke.org (c)2003, and is free under licence agreement. All Rights Are Reserved.