Tracking history of...
 
Notifications
Clear all

Tracking history of a file

16 Posts
9 Users
0 Likes
1,592 Views
(@wotsits)
Posts: 253
Reputable Member
Topic starter
 

Say you have an external storage drive, and on it contains a file or folder that Mr. Suspect would want to distance himself from.

There's no trace of this file or folder on any of his other devices such as his computer that has enough of his own data on their to prove he's the user, then there's very little else on the said external storage media that has anything to link to him to show he was a user and knew of the file/folder. Besides the fact it was found in his vicinity, he could use any number of excuses to distance himself from it such as he found it, bought it on ebay, someone else left it there, it was planted, etc.

Is there any way to dig deeper into the file/folder or the history of the storage device to track what has happened or been done with it in the past?

Other than the obvious date last modified and date created superficial data, is there any list of times it was accessed, times it was copied, where to, etc?

 
Posted : 14/04/2016 4:42 am
(@sgreene2991)
Posts: 77
Trusted Member
 

Is this a Windows machine? If so check the registry file for attached USB devices to see if you can find that drive.

 
Posted : 14/04/2016 4:59 am
tracedf
(@tracedf)
Posts: 169
Estimable Member
 

Can you use the registry and/or setupapi.log to prove that the device was connected to the target computer(s)?

Are there any links, shellbag entries or recent file entries on the target computer(s) that point to the file/folder?

Can you find any blocks from the incriminating files on the target computer(s)? I'm not sure if there are tools available to do a block-level search, but if you have a raw image it wouldn't be hard to write a script to do it.

-tracedf

 
Posted : 14/04/2016 5:02 am
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

Any info regarding the OS and version of the host system, and the file system of the external drive?

 
Posted : 14/04/2016 4:12 pm
Bunnysniper
(@bunnysniper)
Posts: 257
Reputable Member
 

Is there any way to dig deeper into the file/folder or the history of the storage device to track what has happened or been done with it in the past?

Assuming we are talking about a Windows OS with NTFS, i would process this way

- fetching $MFT and the USN Journal
- converting both into a csv file
- checking for filennames from already deleted and existing files with the those found on the USB drive

Once you have a hint, i would compare hashes of files found on the PC and on the USB device. Searching the registry for the USB device identifier is a good way, too.

Did you search for real fingerprints on the device?! Who found this piece of evidence and how was it treated? This is the reason i have gloves in my Forensic Trolley and never touch any pieces of evidence with my fingers….

Do you need additional information about the MFT/ USNJournal or links to appropriate tools and procedures to analyze it?

Good hunting!

best regards,
Robin

 
Posted : 14/04/2016 4:50 pm
(@wotsits)
Posts: 253
Reputable Member
Topic starter
 

Thanks all for your replies.

As said, there's no trace the external device was ever connected to the target computer, I've looked on the registry.

The external hard drive is NTFS format and it's for storage only. Is there anything I can tell just by looking at it when certain files were accessed and from where, whether they were copied, etc?

 
Posted : 18/04/2016 6:36 am
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

As said, there's no trace the external device was ever connected to the target computer, I've looked on the registry.

Setupapi.log?
http//www.forensicswiki.org/wiki/Setup_API_Logs
https://www.magnetforensics.com/computer-forensics/how-to-analyze-usb-device-history-in-windows/

The external hard drive is NTFS format and it's for storage only. Is there anything I can tell just by looking at it when certain files were accessed and from where, whether they were copied, etc?

WHEN accessed (last time), Maybe.
FROM WHERE, No.
IF COPIED, No.

jaclaz

 
Posted : 18/04/2016 12:51 pm
(@sam305754)
Posts: 44
Eminent Member
 

Hi,

you can also look for .lnk file that can have been created when suspect accessed files stored on the external drive.

Index.dat file of IE stored also removable file access

Open/Save MRU key in registry records files that have been opened or saved within a Windows shell dialog box.

Depending when he accessed files you are looking for if it was recently Recent file registry Key tracks the last files and folders opened

Shell Bags show folders were accessed on removable devices

For Win7 OS and above there is also JumpList

https://www.sans.org/security-resources/posters/windows-forensics-evidence-of/75/download

If you have the original files you can use block-wise hashing, fuzzy doc hashing or shingle method to look for remaining blocks or near-duplicate on suspect's computer to proof copy

 
Posted : 18/04/2016 2:39 pm
(@wotsits)
Posts: 253
Reputable Member
Topic starter
 

Let me re phrase this question one last time before I throw in the towel on this;

Is there any way to gather any more information on what was done with the files on the external hard drive USING ONLY the external hard drive itself? Let's assume for the sake of this that there are no other devices been seized.

 
Posted : 27/04/2016 3:17 pm
Bunnysniper
(@bunnysniper)
Posts: 257
Reputable Member
 

Let me re phrase this question one last time before I throw in the towel on this;

Is there any way to gather any more information on what was done with the files on the external hard drive USING ONLY the external hard drive itself? Let's assume for the sake of this that there are no other devices been seized.

In this case you only have the MACB infos for folders and files modified, accessed, created, born. And of course the file content itself. If you find a JPG, you might have some luck and find additional meta infos in the EXIFs. Or have a look at a MS Word file, perhaps you can find the path to its storage location in a footer of a document.

Where those files came from, who copied them or how expensive the hard drive was No.

And you should not throw the towel, just put it in a dry and clean bag, put a tag on it and close the bag. There might be one day in future you have to open the bag again.

best regards,
Robin

 
Posted : 27/04/2016 5:29 pm
Page 1 / 2
Share: