Any way to detect f...
 
Notifications
Clear all

Any way to detect files copied from USB to USB

7 Posts
5 Users
0 Likes
2,937 Views
(@cybertend)
Posts: 22
Eminent Member
Topic starter
 

Hi all, this is a project for IP theft.
I have a windows 10 /w bitlocker encrypting the drive and a USB drive (FAT32) that I am performing analysis on now.
I took a logical image of the Win10 laptop /w FTK as I dont have the key to unencrypt.
I also did a physical drive(full) image of the USB.

Through investigating .lnk and other data it is very obvious the subject moved a large amount of data from the corporate network drive down to his laptop then to the USB drive.

The question that came back from legal…Is there any way to tell if the USB drive containing the IP data was copied off to another system/USB drive not connected to the laptop under investigation.

The only way that I would be aware of is if the subject actually opened the files on the original USB and thus changing the "access-time" date and timestamp. A straight copy from one USB to another USB on an entirely different computer we dont have in our possession would not change anything on the original USB to indicate such correct?

Additionally, I did see two more USB drives enumerate on the day the subject copied the data off his laptop to the USB. These were two USB's that the subjects laptop had not previously seen.

I do not see any .lnk files, shellback or other that indicate any activity to these two USB's, not to say I am not missing something.

 
Posted : 14/02/2020 6:09 pm
Bunnysniper
(@bunnysniper)
Posts: 257
Reputable Member
 

Is there any way to tell if the USB drive containing the IP data was copied off to another system/USB drive not connected to the laptop under investigation.

No, sorry. Unless you find one of the currently unknown USB drives, you cant prove that.
And regarding the two USB devices you have seen sure it is a drive? Couldnt it be some kind of accessoires like mouse, keyboard or USB headset? If you dont have any lnk files from these 2 devices, the copy process could have been started via command line xcopy.exe for example.

regards, Robin

 
Posted : 15/02/2020 12:06 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

Hi all, this is a project for IP theft.
I have a windows 10 /w bitlocker encrypting the drive and a USB drive (FAT32) that I am performing analysis on now.
I took a logical image of the Win10 laptop /w FTK as I dont have the key to unencrypt.
I also did a physical drive(full) image of the USB.

Through investigating .lnk and other data it is very obvious the subject moved a large amount of data from the corporate network drive down to his laptop then to the USB drive.

Where were the LNK files you found? On which device, within which image?

I ask, because you'd stated that the laptop image is encrypted, and when I open a file on a USB device connected to my laptop, the LNK file associated with that action appears on my laptop.

As such, with the only device image you have that is not encrypted being the image of the USB device, I'm not clear as to how an LNK file on the USB device would demonstrated what you stated above.

The question that came back from legal…Is there any way to tell if the USB drive containing the IP data was copied off to another system/USB drive not connected to the laptop under investigation.

The only way that I would be aware of is if the subject actually opened the files on the original USB and thus changing the "access-time" date and timestamp. A straight copy from one USB to another USB on an entirely different computer we dont have in our possession would not change anything on the original USB to indicate such correct?

Are you sure that opening the file on the USB device is the _only_ action that would make that modification?

Additionally, I did see two more USB drives enumerate on the day the subject copied the data off his laptop to the USB. These were two USB's that the subjects laptop had not previously seen.

Which data source(s) are you using to identify the enumeration of the two USB drives?

I do not see any .lnk files, shellback or other that indicate any activity to these two USB's, not to say I am not missing something.

Given that the Win10 laptop image is, in your words, encrypted, I'm not sure from where you're getting your data, so I feel as if there's something that's not been shared.

 
Posted : 15/02/2020 3:33 pm
(@cybertend)
Posts: 22
Eminent Member
Topic starter
 

Where were the LNK files you found? On which device, within which image?

I ask, because you'd stated that the laptop image is encrypted, and when I open a file on a USB device connected to my laptop, the LNK file associated with that action appears on my laptop.

As such, with the only device image you have that is not encrypted being the image of the USB device, I'm not clear as to how an LNK file on the USB device would demonstrated what you stated above.

Re
So to clarify, the Windows 10 drive is encrypted. However, I have the local Administrator account for the laptop and thus was able to get a good logical copy. Ideally I would un-encrypt the device but, alas, I dont have the key.
the .lnk files, shellback and jumplists come from the logical image…recent documents.

Are you sure that opening the file on the USB device is the _only_ action that would make that modification?

Re
Well, there are other things that could modify dates/times for files, however I am fairly sure that a copy action does not modify any date/time stamps of the files. But this is why I am posting here as I was hoping to be enlightened as to something I may be missing that would indicate a copy had been made.

Which data source(s) are you using to identify the enumeration of the two USB drives?

Re
The Windows 10 logical image I was able to get after logging into the Windows 10 box with Administrator rights.

Given that the Win10 laptop image is, in your words, encrypted, I'm not sure from where you're getting your data, so I feel as if there's something that's not been shared.

Re
Yes apologies, I should have explained a bit further on obtaining the logical image of the Windows 10 laptop logged in as Administrator.

No, sorry. Unless you find one of the currently unknown USB drives, you cant prove that.
And regarding the two USB devices you have seen sure it is a drive? Couldnt it be some kind of accessoires like mouse, keyboard or USB headset? If you dont have any lnk files from these 2 devices, the copy process could have been started via command line xcopy.exe for example.

regards, Robin

Re
Thanks Robin and agree, the USB devices certainly could be accessories.

 
Posted : 15/02/2020 5:43 pm
(@cults14)
Posts: 367
Reputable Member
 

Through investigating .lnk and other data it is very obvious the subject moved a large amount of data from the corporate network drive down to his laptop then to the USB drive.

How can you tell solely from LNK that data was moved? To me, moved implies not leaving the original in place - do you mean copied?

What do you mean by "a large amount of data"? "Lots" of files? Or a few very big ones? IP theft is my main focus, I've not seen many systems (maybe even any) where there are lots of LNK files that point to external media - a good few, sure, and it may suggest that a large amount of data was moved but it's not enough to make it "very obvious".

I'm not denying that there are artefacts (e.g. Shellbags) which could support your clainm, but personally I don't see LNK files on their own being sufficient evidence except in the case of specific files.

HTH

Peter

 
Posted : 17/02/2020 4:56 pm
watcher
(@watcher)
Posts: 125
Estimable Member
 

… Re
So to clarify, the Windows 10 drive is encrypted. However, I have the local Administrator account for the laptop and thus was able to get a good logical copy. Ideally I would un-encrypt the device but, alas, I dont have the key….

Can't you obtain the recovery key via "manage-bde" ?

 
Posted : 17/02/2020 11:24 pm
(@cybertend)
Posts: 22
Eminent Member
Topic starter
 

How can you tell solely from LNK that data was moved? To me, moved implies not leaving the original in place - do you mean copied?

What do you mean by "a large amount of data"? "Lots" of files? Or a few very big ones? IP theft is my main focus, I've not seen many systems (maybe even any) where there are lots of LNK files that point to external media - a good few, sure, and it may suggest that a large amount of data was moved but it's not enough to make it "very obvious".

I'm not denying that there are artefacts (e.g. Shellbags) which could support your clainm, but personally I don't see LNK files on their own being sufficient evidence except in the case of specific files.

HTH

Peter

RE
Thanks Peter for the response, I did mean copy not move…big difference. The large amount of data was ~2,000 files, smaller files around policies/procedures/customer lists/and a few patent pending files as well.

I have two sources to support the claim of this file copy. From the laptop when the subject initially copied these files to the laptop desktop from a network mapped drive. This was ~23rd of December. On January 2nd, subjects last day, these same files were copied to a verbatim USB stick. My two sources on this is 1) LNK files were created, agree I dont always see this so shellbag helps. 2) The company has DLP deployed on all the laptops, when the subject copied all the files to the verbatim, a DLP alarm triggered and IT sent an email to him(he had already left), and my CISO contact. We got the verbatim back and, after an image of the USB stick, verified the files contained on the verbatim were the ones in fact that IT had raised a concern from the DLP alarm.

Now, that same day, 3 new USB devices were inserted for the first time. Windows marked these as storage devices. I am not showing any files (LNK, Shellbag or otherwise) were copied to these three devices. One was a brand name sandisk. The other two were Alcor Micro corp. and Chipsbank Microelectronics Co., Ltd (windows listed a generic flash disk.

What is raising the hairs on the back of my neck is this is a pharma company Swiss based, the subject is going to work for a Chinese competitor. Subject traveled to China Sept 1 for the purposes of an on site interview. Subject did take the laptop in question to China. I dont show any activity besides the subject fired up a netflix movie on a date/time that would put the subject on an airplane back to the USA.

Can't you obtain the recovery key via "manage-bde" ?

RE
Thanks watcher, I will give that a shot.

 
Posted : 18/02/2020 1:37 am
Share: