How to detect if files were saved or copied to a USB drive?
How can I find out if files from my computer were written/copied/moved to a USB storage device? I want to know if there is a solution that would work in a system that has not got any monitoring/logging of USB activity explicitly enabled and after the files have already been written.
I have already used software which would reads the information from registry location
But it just tells the vendor name, time connected and other artifacts.
This will depend entirely on what logging you have enabled. It it's easy after the event to tell you to log all file copies etc, but if you weren't logging it, you won't be able to retrieve that info.
yes i know you have to enable local auditing on files. But there has to be some other way. The information must be saved in some meta-data?
No. Copying from a file is not typically saved on a windows system unless you have enabled logging or auditing.
Yeah thats what i said; but I mean what about encase and helix big forensic technologies?
EnCase and Helix can help you retrieve all the information you have on a disk, but they can't make that information from nothing. Sorry to disappoint you.
I disagree you seems to put all your hope in windows auditing and like if there there is no place in computer memory or hard-disk where such attributes (as folders, files) can be copied.
I used to run a forensic team, and while there are a lot of good pieces of info you can grab, with dating windows logging you are very limited in finding out what someone has done with a file if they copied it onto a USB stick. You can hunt down command history, but it is limited. Seriously, this info is just not stored anywhere by default. This is why we encourage people to enable logging and auditing.
First, try to get the information about the devices that were plugged into the computer from the following locations
C:\Windows\inf\setupapi.dev HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\USBSTOR HKEY_LOCAL_MACHINE\SYSTEM\MountedDevices HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\USB
Be very particular when checking the Mounted devices key as this information will be required in future analysis
Analyse NTUSER.DAT file associated to that particular user in question. Go to NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2 and search for the GUID of the device.
If you use Encase or FTK search for key words (name of the file in question), analyse the .lnk files associated with the keyword. Parse the .lnk using FTK or Encase which will give you the path and the time stamp. If the path refers to a USB then try to match user's SID, USB serial number and the time stamp information.
You can even analyse MFT records and $Logfile which give you more information about the file structure.
Note: .lnk files will be created only the suspect opens the file in question from the USB drive.
If you are still looking into this, or want to go back to it, then you might be interested in listening to the CyberSpeak Podcast to hear about one forensic investigator's/firm's research. I suggest you listen to the whole episode, but if you want to spot-check its relevance then I think that around 22:00/23:00 they say a few points that are relevant to your endeavor.
The tool, called Registry Recon, is a commercial tool and I can not vouch for it since I have not yet used it myself. Pursue that at your own risk; however, I will point out the bullet-point claim in the release notes.
"[..] Reports USB Storage Devices (see when they were attached over time!) and RecentDocs"
Clarifications Regarding the Original Post
I have left the original post exactly as it was, but would like to say that I never meant to bash any commercial product nor do I intend to promote myself or any third party products I happen to mention.
I do not apologize for my sense of humor, but I do regret the possibility that I offended anyone. Not that is important what you think of me; rather it is important for me to respect the culture and demeanor of this forum. I do respect the community here and for that reason I apologize.
Thank you again, @Gilles, for your comments.
I looked at a commercial offering called "Spector 360" that was talking about this exact scenario. As you might imagine, it required agents to be installed onto each monitored computer. Honestly, I was not happy with the system impact that the agents had on system performance. Enabling auditing/logging also has an impact on system performance. This is to be expected from pretty much any solution that is available to address the scenario you are describing.
Before I came across Spector 360, I knew of a Remote Administration Tool (RAT) that was being used to a small extent by criminals. The company that creates it is legit and was not necessarily responsible for the criminals actions; my point is that there are a lot of RAT/Spyware/Monitoring applications that will provide the functionality needed to accomplish what you desire. You should expect friction from AV installed on those systems though, no matter how legit the company that authored the application. They are all capable of being used malevolently.
As for forensically looking for evidence... maybe, but that is a long shot. I really wouldn't count on it. There would be artifacts created if the system conditions were right. Those artifacts would also be eroded according to the system conditions, usage, and time since the event.
Are you trying to determine if you have had some files stolen, or are you just wondering? If it is the latter, then you should really turn your attention towards the logging/auditing solutions. If you hand has been forced, you should just kill whom ever you suspect of stealing the files before they can distribute/deliver them. Burring their living space and surrounding areas to the ground would give a little more assurance that any stolen data was destroyed.
Of course, my last suggestion is illegeal and I am only kidding about actually carrying out such drastic measures. If you think you have had a security breach and want to talk it through with someone, you can contact me and I'll spend sometime helping you as much as I can.
While there are good things in your answer, a lot of it comes out as bashing a competitor product, with a bit of advertisement at the end (which isn't against the rule, but comes out a little odd, considering that this is a questions and answers, not a discussion forum). The hyperbole might put some readers off as well. This could explain why your answer was downvoted. I suggest toning it down a bit.
@GuyHoozdis I really admire your advice on the subject. It was thorough and very informative. In my case (can't disclose it openly) but it relates to the high possibility of information copied from a sensitive machine into a USB-device. The victim machine in this case ; was not forensically sound or prepared to detect such instances occurrences. I'm not concerned of evidence and its admissibility issues I'm hoping someone could help me get some clues / evidence of this activity happening in the system.
Thank you for your feedback and insight @Gilles- I appreciate your candor. Bashing was not my intention nor was self-promotion; however, I'm sure that you are right because if you perceived it that way then many others did too.
@Saladin, I'm glad you found some utility in my ramblings. I did come across some new research in this area a few months ago- if my memory serves me. It might be too late if I understand what "its admissibility issues" implies about your situation; then again, this research I'm referring to is new and if there is reason/opportunity for you to appeal any previous decisions I think this information would be useful. I'll have to go look for an exact link, but I came across the information in a CyberSpeak podcast. You can search for yourself if this is still relevant.
I just took a quick look and here are some links that reference what I was talking about I suggest you listen to the whole episode, but I think around 22:00-25:00 will briefly mention how this relates to your situation. http://cyberspeak.libsyn.com/cyber-speak-feb-18-2013-recon-mission The Tool, Registry Recon. It is a commercial tool and I have not yet used it myself (pursue it at your own risk). I want to point out claim about USB devices in the release notes that is relevant to your situation; "see when they were attached over time" http://arsenalrecon.com/apps/#newReleaseNotes