Best method of determining if a file has been copied


gbulger

New Member
Oct 8, 2008
9
0
#1
I am a data recovery professional but am new to forensics. Pls excuse the probably amateurish question.. What is the most commonly used method of determining if files have been copied from an xp based computer. Can one determine what device the files were copied to?

Thanks,
Gordon
 

Complete

Administrator
Aug 19, 2006
861
0
#2
I would love to be corrected if I am wrong, but I don't think there are any artifacts or records of a file being copied. If I drag and drop a file onto a USB drive, there will be no record other than the USB device being plugged in.

It could be possible that someone copied a file to a USB and then opened it from the USB. In this case there will be an LNK file (shortcut in Recent Documents) that is created pointing towards the file on the USB.
 
Feb 24, 2007
27
0
#3
You can't really tell if a file has been copied from a computer unless in the strict sense of the word. There are several indicators though. If the file was copied to some type of removable media say a floppy or usb drive and the file was opened from that location there would be a link (.lnk) file to that removable media. You hopefully would have some type of forensic software that could parse out all of the info from all the link files on the hard drive. You would have to look through them and look at the link files to removable media and look for the file name. Does this mean the file was copied? No it only means that a file with the same name as yours was opened from some type of removable media.

If you are lucky enough to have the file in question on the original hard drive and the file on the media it was copied to you could run a MD5 hash on both files with write protection of course. If the resulting MD5 hashes are exactly the same then you know its the same exact file. Does this mean the file was copied to this location? No it means the same exact file exists on both the hard drive and removable media. There are other indicators of course but hopefully you are now headed in the right direction. Good luck!
 

Stan77

New Member
Apr 30, 2010
12
0
#4
I see this thread refers to "copying" a file from a hard drive to a USB flash drive.

What if a file is removed (cut and paste)? If the file is not opened on the flash drive, what trace of the removal is left behind? How can I find out what files might have been removed by such a transfer to a flash drive?

Also, is there always a record of when a usb flash drive is plugged in to a PC?
 

thomasmp3

New Member
May 8, 2010
45
0
#5
If files are listed in icon view in explorer, it is possible to see the directory structure of a network drive or removable device by viewing these locations in the registry:

HKEY_CURRENT_USER\Software\Microsoft\Windows\Shell\Bags\

HKEY_CURRENT_USER\Software\Microsoft\Windows\Shell\BagMRU\

FTK's registry viewer did a good job linking the paths so you don't have to do so manually.

As for the question about records if a USB device is plugged in, yes it is recorded. Check out HKEY_LOCAL_MACHINE\SYSTEM\MountedDevices,
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\USB, HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\USBSTOR

Note the data in the Select key to find out the current control set.
HKEY_LOCAL_MACHINE\SYSTEM\Select

If you use Encase, message me and I will send you a nice enscript for parsing that stuff out.
 

Stan77

New Member
Apr 30, 2010
12
0
#6
Thomas,

thanks for the registry info.

The USB registry info did show all previously connected devices, but unfortunately it didn't show any dates of connection (unless I'm missing something). Can I find a record of those dates somewhere else?

As for registry info on files cut and pasted from one external drive to another- from your post I'm not sure what I was supposed to be looking for in the registry. Any further explanation would be helpful.

I assume even if I can't find a record of a file being transferred off of an external drive, I should at least be able to find the record of when the file was initially written to the drive, even if it was subsequently transferred off, correct? Is this true even if the file was initially copied to the external drive while it was inside a folder with other files (in other words, a folder containing the file was copied onto the external drive, not the individual file)?

thanks.
 

thomasmp3

New Member
May 8, 2010
45
0
#7
Stan77 said:
Can I find a record of those dates somewhere else?
You using Encase? Parse the System and Software registry hives. Look at the USBStor. The keys inside have last written values. Those dates are modified when the device is connected. Each device has a subkey with the serial number as the name. A filter of that serial number will return lots of other hits in the registry. I just parse the registry files, then use the File name condition in Encase and paste in the serial number. This returns all keys that have the serial number in the name. You could then analyze all the last written dates for each key.

Also look at the "recent files" links. Those link files contain the volume serial, which you could link to a volume serial number of a formatted removable device. Then you can look at the dates on and contained within the link file.

Don't forget to do the same for registry restore points. Restore points may contain other last written dates for the device in question. You could make a timeline based on the multiple dates.

Note: the volume serial number is not the same as the device serial number.
 

thomasmp3

New Member
May 8, 2010
45
0
#8
Stan77 said:
As for registry info on files cut and pasted from one external drive to another- from your post I'm not sure what I was supposed to be looking for in the registry. Any further explanation would be helpful.

I assume even if I can't find a record of a file being transferred off of an external drive, I should at least be able to find the record of when the file was initially written to the drive, even if it was subsequently transferred off, correct? Is this true even if the file was initially copied to the external drive while it was inside a folder with other files (in other words, a folder containing the file was copied onto the external drive, not the individual file)?

thanks.
You need to look at the MFT records for what I was talking about. Moved file from one volume to another = File marked deleted (sourceMFT), New file (destinationMFT). The MFT entry modified attribute for each volume would be in the same proximity.

Be sure to do a keyword search for the filename on the whole drive. Also make sure your search will find unicoded strings.
 

About us

  • Our community began in 2004. Since this time, we have grown to have over 29,000+ members within the DFIR & Cyber Security community.

    We are happy to announce that this forum is now under new ownership with the goal to once again become the main Digital Forensics Forum on the internet for DFIR, OSINT and Cyber Security.

    If you can think of ways to help us improve, please let us know.

    We pride ourselves on offering unbiased, critical discussion among people of all different backgrounds.

    We are working every day to make sure our community is one of the best.

Quick Navigation

User Menu