Every now and again, I see the question of "where does Windows keep logs of files copied to a thumb drive, or CD/DVD?" Recently, I saw that question posted to several lists, as well as emailed directly to my inbox. ;-) As such, I thought it would be a good idea to address that issue here, and maybe get comments back from others with respect to how they might address this kind of situation.
In general, Windows does not maintain a record or log of files that are copied. Whether you use the command line "copy", or use drag-n-drop, there simply isn't a record on Windows systems that show, "on this date, user X copied this file from here to here". Using something like WMI, someone could surely write a file system monitor that looked for and correlated file accesses to file creations...but that might be complicated, as you would need to also alert on removable storage devices being attached to the system and then include those within your monitoring scheme. However, this model wouldn't take into account instances in which a user opened a file in, say, MS Word, and then chose "Save As..." from the File menu and saved the file to another location.
If you have images of both pieces of media that you're interested in (ie, the hard drive, and the external storage media), you can use information from this MS KB article to gain some insight into the copy direction...if a copy operation did, in fact, occur. However, you may find a Windows shortcut/.lnk file in the acquired image of the hard drive, and a reference in the Registry to the thumb drive having been attached to the system in question. But what does this tell you? It may indicate that the user had accessed the document on the removable storage device, but it doesn't necessarily provide an indication of a copy operation.
Okay, so what if you find files...say, Word documents...with the same name on both pieces of media? Again, refer back to the previous MS KB article with respect to analyzing the MAC times of the file found in both images. I would also highly recommend hashing the files within each image (MD5, as well as perhaps also using ssdeep), as well as recording their sizes. If the files are the type that are known to contain metadata (Office or PDF docs, image files, etc.), extract and record that, as well.
1 comment:
Good stuff Harlan. Just some ideas along the lines in your post... I suppose you could use the CD/DVD burning software swap file as an indication of something recently burned. That is if you can find it and it is in a friendly format (iso). Also, another option for file system monitoring is the Microsoft .NET Framework FileSystemWatcher class which can be tapped via Visual Basic or C#. Seems like it was built for easily recording changed, renamed, deleted, or newly created files. Potential here for all kinds of utility goodies in the areas of system logging, executable file analysis, honeypots, etc. Of course to aid an investigation, you'd have to set it up BEFORE you need it :)
Post a Comment