How to detect if files were saved or copied to a USB drive?

  • How can I find out if files from my computer were written/copied/moved to a USB storage device? I want to know if there is a solution that would work in a system that has not got any monitoring/logging of USB activity explicitly enabled and after the files have already been written.

    I have already used software which would reads the information from registry location

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR

    But it just tells the vendor name, time connected and other artifacts.

    Not sure if it directly answers your question, but you can get a copy of Usb Security Suite and it logs everything happened on usb drives like copy, rename, delete etc. The point is that, it only shows activities happened AFTER installation of the tool :(

  • Rory Alsop

    Rory Alsop Correct answer

    8 years ago

    This will depend entirely on what logging you have enabled. It it's easy after the event to tell you to log all file copies etc, but if you weren't logging it, you won't be able to retrieve that info.

    yes i know you have to enable local auditing on files. But there has to be some other way. The information must be saved in some meta-data?

    No. Copying from a file is not typically saved on a windows system unless you have enabled logging or auditing.

    Yeah thats what i said; but I mean what about encase and helix big forensic technologies?

    EnCase and Helix can help you retrieve all the information you have on a disk, but they can't make that information from nothing. Sorry to disappoint you.

    I disagree you seems to put all your hope in windows auditing and like if there there is no place in computer memory or hard-disk where such attributes (as folders, files) can be copied.

    I used to run a forensic team, and while there are a lot of good pieces of info you can grab, with dating windows logging you are very limited in finding out what someone has done with a file if they copied it onto a USB stick. You can hunt down command history, but it is limited. Seriously, this info is just not stored anywhere by default. This is why we encourage people to enable logging and auditing.

License under CC-BY-SA with attribution


Content dated before 6/26/2020 9:53 AM