±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 2 Overall: 36767
New Yesterday: 4 Visitors: 162

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

Identifying Files Copied to External Media

Forensic software discussion (commercial and open source/freeware). Strictly no advertising.
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Page 1, 2  Next 
  

JHassell
Newbie
 

Identifying Files Copied to External Media

Post Posted: Aug 10, 19 19:19

I have a report from another examiner in which he claims (User X copied file Y to external drive Z on date abc." Because of some issues in the case, I can't demand that they tell me how they got that conclusion.

My question how can you find information about a file being copied to an external drive, including date. I thought it might be in shellbags or usb connections, but what I need is not in either report.

Since this is a common request, especially in my typical client, I'd like to know how they did it. Did I miss a class in forensic school?

Thanks!  
 
  

armresl
Senior Member
 

Re: Identifying Files Copied to External Media

Post Posted: Aug 10, 19 20:27

Too many variables which you can't answer to get help.
You can't tell why or how they arrived at the conclusion they arrived at.
You aren't saying what you have done to try and validate the dates they have (with or without a PC or the image)

If you can post more details you can probably get some help.


- JHassell
I have a report from another examiner in which he claims (User X copied file Y to external drive Z on date abc." Because of some issues in the case, I can't demand that they tell me how they got that conclusion.

My question how can you find information about a file being copied to an external drive, including date. I thought it might be in shellbags or usb connections, but what I need is not in either report.

Since this is a common request, especially in my typical client, I'd like to know how they did it. Did I miss a class in forensic school?

Thanks!

_________________
Why order a taco when you can ask it politely?

Alan B. "A man can live a good life, be honorable, give to charity, but in the end, the number of people who come to his funeral is generally dependent on the weather. " 
 
  

JHassell
Newbie
 

Re: Identifying Files Copied to External Media

Post Posted: Aug 11, 19 05:01

I cannot ask them and I don't have the image. If I did, I'd probably be able to figure it out.

So my basic question is "Is there a way to find what files were copied to external media?"

I've searched on drive letters, reviewed shellbags and attached USB devices, looked in the event log, along with usual things like find email addresses (just in case he emailed the files), and tried INFO2 files (just in case he deleted after copying).

I'm wondering if they took several artifacts and were reasoning something about them collectively to get their conclusion.

Thanks!  
 
  

randomaccess
Senior Member
 

Re: Identifying Files Copied to External Media

Post Posted: Aug 11, 19 07:02

When a user copies a file to a USB device the modified date will predate the creation date.
If the user then accesses those files then the targets MAC times are copied into the link file (note, if you dont want to get caught dont access the files)

A simple method is to extract all the shell items from LNK/Jumplists, filter for external media, look at all the files that were accessed where mod < create and then the create date is the when the file was copied

Similarly when a file is accessed its folder get a link file as well. If mod < create then the whole folder was copied.

Highly recommend testing this out to see how it works in your specific scenario  
 
  

athulin
Senior Member
 

Re: Identifying Files Copied to External Media

Post Posted: Aug 11, 19 09:13

- randomaccess
A simple method is to extract all the shell items from LNK/Jumplists, filter for external media, look at all the files that were accessed where mod < create and then the create date is the when the file was copied


This seems backwards.

You start from the 'rule' that if file copy is done to external storage, M precedes C in the resulting file copy. (I'm not questioning this for the moment, although I'm not sure there are any published tests done on modern releases of Windows. But that's another issue.)

However, the method you describe goes the other way: it says 'if you find files where M < C, then you have a file that has been copied. And that case is not covered by the rule. You have not shown that if M precedes C it can *only* have happened through a file copy, nor even that the *predominantly* do so, if you happen to believe in applying statistic criteria to single cases. (In terms of logic, the implication covered by the rule cannot be extended to the equivalence suggested by your method.)

You may have something that may be a lead and that is worth investigating further, but you do not have enough information to draw a conclusion that these files were copied.

A very old (perhaps even too old, as it refers to tests made on XP SP2 only) paper (Rules of Time on NTFS file system) does have the M < C situation among its rules, but it says:

Rule No. 3: In a folder, if files’ M times are before C times and the files have “very close” C times, the files have been
1) copied from one system to the same or another system in a batch or
2) moved from one partition to another partition in a batch or
3) extracted from a compressed file.


However, this 'rule' is valid only within the conditions of the tests they made, described in that paper; it involved only file copy and file move (and some additional operations such as file archive extraction) on a single system (and actually did not clearly involve external storage at all ... )

A rule 3 reformulated for general use should include a fourth point: "4) or was written to the folder by methods we have not covered in this paper".  
 
  

randomaccess
Senior Member
 

Re: Identifying Files Copied to External Media

Post Posted: Aug 11, 19 11:33

- athulin
I'm not sure there are any published tests done on modern releases of Windows.


There's this
And then my own testing for copying and cutting

According to the poster, the files creation date is set at the creation of the file, and in the event of a copy it's modified date is retained, but the creation is the time of the copy. If the file is cut the created date is inherited but then that wouldn't be shown using the method i described.

As per the document you described, yes the files could have come from a compressed archive, they could also have come from elsewhere and have the same names. You would need to correlate them with the files on the host that are suspected to have been copied.  
 
  

athulin
Senior Member
 

Re: Identifying Files Copied to External Media

Post Posted: Aug 11, 19 11:50

- randomaccess
There's this


Well, ... that's no testing, that's just a number of statements. You can't even say for what Windows release these statements are valid, and you can't be sure you can repeat the tests to check them. It's on par with the forensic analyst mentioned by the original poster -- perhaps this is what he uses for his conclusions.

@OP: Don't use that SANS stuff. Not until they publish sufficient information that you can repeat any tests exactly as stated.

And then my own testing for copying and cutting


That looks more like it. Thanks for posting!  
 

Page 1 of 2
Page 1, 2  Next