Announcement

Collapse
No announcement yet.

Detecting which files got copied to a USB flash drive

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Detecting which files got copied to a USB flash drive

    We had this question from a OSForensics customer today, so I thought it was worth posting the response.

    Windows supports a number of different file systems (NTFS, FAT32 exFAT, etc..). The details recorded about files and file transactions for each of them is different. The details recorded also depend on the operating system in use.

    As a broad general statement, Windows doesn't record details about what files were copied between drives. So generally it is impossible to recover a list of files copied. The data just isn't stored.

    BUT, there is some information that can often be collected.

    You can get a list of USB drives connected to the machine (Recent activity in OSF).
    • If the file was copied to a USB drive AND the file was opened from that location there would be a link (.lnk) file to that removable media. You can see the list of files from the name of the LNK file, but inside the LNK file you can find the file location. Using the OSForensics File Name Search function you can quickly find all the LNK files, then open them with the internal viewer to decode the content (which gives the drive letter and folder name of the file being opened).
    • If the file was copied to a USB drive AND the file was opened from that location, there would be a Jump list entry. You can recover the Jump List records from the Recent Activity function in OSForensics.
    • If after the copy operation, files are listed in icon view in an Explorer window, it is possible to see the directory structure of a network drive or removable device by looking at the Shellbag entries in OSF Recent activity. In our testing however, these don't always seem to be created.
    • Depending on the operating system & files system you might be able to look at Last Access Times of files around the time the USB drive was used to have a good guess at what files were copied. Last Access Time updating is enabled by default in XP. In order to save system resources, it is disabled by default in Vista and later. But it can be manually enabled. See, https://technet.microsoft.com/en-us/.../cc959914.aspx
      Also if it has been a while since the files were copied the last access times would have likely been updated since the copy operating took place. So the information would be lost. Given that most people are using WIn7 and Win10, this normally isn't an option.
    • Sometimes the Window Search function might index files on the USB drive (if you believe the reports on the internet). You can see the Windows Search records from the Recent Activity function in OSForensics. In our testing however we couldn't get this to happen. So likely it depends on timing issues, which O/S is in use and how long it has been since the drive was removed. You might get lucky however.

    All this assumes you don't have access to the USB drive in question. If you have the USB drive, then there is more that can be done to see when files were copied and if they match files on the hard drive.

  • #2
    For Apple iOS have a look in the /var/log folder for the system.log files. Search for entries in these log files that mention the word diskarbitration.
    Some of the files might be compressed, so you might need to unzip them first.
    This will give an indication of if a USB drive was connected to the machine. But not list out the files that were copied.
    There might also be other indications in iOS, but it isn't something we have looked deeply into.



    Comment

    Working...
    X