Say you have an external storage drive, and on it contains a file or folder that Mr. Suspect would want to distance himself from.
There's no trace of this file or folder on any of his other devices such as his computer that has enough of his own data on their to prove he's the user, then there's very little else on the said external storage media that has anything to link to him to show he was a user and knew of the file/folder. Besides the fact it was found in his vicinity, he could use any number of excuses to distance himself from it such as he found it, bought it on ebay, someone else left it there, it was planted, etc.
Is there any way to dig deeper into the file/folder or the history of the storage device to track what has happened or been done with it in the past?
Other than the obvious date last modified and date created superficial data, is there any list of times it was accessed, times it was copied, where to, etc?
Is this a Windows machine? If so check the registry file for attached USB devices to see if you can find that drive.
Can you use the registry and/or setupapi.log to prove that the device was connected to the target computer(s)?
Are there any links, shellbag entries or recent file entries on the target computer(s) that point to the file/folder?
Can you find any blocks from the incriminating files on the target computer(s)? I'm not sure if there are tools available to do a block-level search, but if you have a raw image it wouldn't be hard to write a script to do it.
-tracedf
Any info regarding the OS and version of the host system, and the file system of the external drive?
Is there any way to dig deeper into the file/folder or the history of the storage device to track what has happened or been done with it in the past?
Assuming we are talking about a Windows OS with NTFS, i would process this way
- fetching $MFT and the USN Journal
- converting both into a csv file
- checking for filennames from already deleted and existing files with the those found on the USB drive
Once you have a hint, i would compare hashes of files found on the PC and on the USB device. Searching the registry for the USB device identifier is a good way, too.
Did you search for real fingerprints on the device?! Who found this piece of evidence and how was it treated? This is the reason i have gloves in my Forensic Trolley and never touch any pieces of evidence with my fingers….
Do you need additional information about the MFT/ USNJournal or links to appropriate tools and procedures to analyze it?
Good hunting!
best regards,
Robin
Thanks all for your replies.
As said, there's no trace the external device was ever connected to the target computer, I've looked on the registry.
The external hard drive is NTFS format and it's for storage only. Is there anything I can tell just by looking at it when certain files were accessed and from where, whether they were copied, etc?
As said, there's no trace the external device was ever connected to the target computer, I've looked on the registry.
Setupapi.log?
http//
https://
The external hard drive is NTFS format and it's for storage only. Is there anything I can tell just by looking at it when certain files were accessed and from where, whether they were copied, etc?
WHEN accessed (last time), Maybe.
FROM WHERE, No.
IF COPIED, No.
jaclaz
Hi,
you can also look for .lnk file that can have been created when suspect accessed files stored on the external drive.
Index.dat file of IE stored also removable file access
Open/Save MRU key in registry records files that have been opened or saved within a Windows shell dialog box.
Depending when he accessed files you are looking for if it was recently Recent file registry Key tracks the last files and folders opened
Shell Bags show folders were accessed on removable devices
For Win7 OS and above there is also JumpList
https://
If you have the original files you can use block-wise hashing, fuzzy doc hashing or shingle method to look for remaining blocks or near-duplicate on suspect's computer to proof copy
Let me re phrase this question one last time before I throw in the towel on this;
Is there any way to gather any more information on what was done with the files on the external hard drive USING ONLY the external hard drive itself? Let's assume for the sake of this that there are no other devices been seized.
Let me re phrase this question one last time before I throw in the towel on this;
Is there any way to gather any more information on what was done with the files on the external hard drive USING ONLY the external hard drive itself? Let's assume for the sake of this that there are no other devices been seized.
In this case you only have the MACB infos for folders and files modified, accessed, created, born. And of course the file content itself. If you find a JPG, you might have some luck and find additional meta infos in the EXIFs. Or have a look at a MS Word file, perhaps you can find the path to its storage location in a footer of a document.
Where those files came from, who copied them or how expensive the hard drive was No.
And you should not throw the towel, just put it in a dry and clean bag, put a tag on it and close the bag. There might be one day in future you have to open the bag again.
best regards,
Robin