Avatar of Pau Lo
Pau Lo
 asked on

USB data dragged

forensics experts,

Am I right in thinking on an XP machine you wont get a list of files/what data was dragged onto a USB thumb drive, and at absolute best you'll get some sort of audit trail the USB was plugged into the machine, but no clue what was dragged onto that drive?

Does the same extend to CD/DVD, i.e. no real audit log of what data was saved/burnt to them? In terms of files...
Digital ForensicsSecurityWindows XP

Avatar of undefined
Last Comment
btan

8/22/2022 - Mon
ASKER CERTIFIED SOLUTION
Tony Giangreco

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
Tony Giangreco

Same for CD\DVD
SOLUTION
btan

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
Pau Lo

ASKER
I assume now temp files created during dragging data to a usb? Ie dragging it on to the drive letter in my computer on xp
Pau Lo

ASKER
Are there any tools to see what temp files werecreated when trying and recreate certain user actions?
All of life is about relationships, and EE has made a viirtual community a real community. It lifts everyone's boat
William Peck
btan

not necessary as there can be delayed write and write through configured.
May be at %USERPROFILE%\AppData\Local\Temp

I was pulling out my thoughts into even the s/w API used such as this
http://msdn.microsoft.com/en-us/library/windows/desktop/aa363858(v=vs.85).aspx#caching_behavior

Specifying the FILE_ATTRIBUTE_TEMPORARY attribute causes file systems to avoid writing data back to mass storage if sufficient cache memory is available, because an application deletes a temporary file after a handle is closed. In that case, the system can entirely avoid writing the data. Although it does not directly control data caching in the same way as the previously mentioned flags, the FILE_ATTRIBUTE_TEMPORARY attribute does tell the system to hold as much as possible in the system cache without writing and therefore may be of concern for certain applications.

Creating and Using a Temporary File
http://msdn.microsoft.com/en-us/library/windows/desktop/aa363875(v=vs.85).aspx

More info on caching
http://msdn.microsoft.com/en-us/library/windows/desktop/aa364218(v=vs.85).aspx
btan

Pau Lo

ASKER
But as for a tool that shows what tmp files were created in real time no such tool out their? Ie if I open a docx I know that creates a tmp file but is there any tool that records what tmp files were created based on what user action?
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
btan

Doubt there is any publicly but unless you really have some sandbix environment for those application to track. Real time capturing looks to me like surveillance workstation software but even then not sure it is really granular to track these tcp
SOLUTION
Log in to continue reading
Log In
Sign up - Free for 7 days
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
SOLUTION
Log in to continue reading
Log In
Sign up - Free for 7 days
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
Pau Lo

ASKER
Rollh could you go into a little more detail for the layman. And very interesting ken and breadtan will research your links with interest.
rolh

Sure pma... having a timeline means you already have in just one place (commonly a spreadsheet) all the actions that occurred in the computer and also all the files in the system sorted by date, including Event Logs, History files (index.dat, antivirus logs, other app logs, etc.).
This timeline should consequently have the time the USB device was connected and disconnected.

When a file is dragged, its last access date changes. So, if you can identify the dates while the USB was connected then you have a strong assumption for your case.
Obviously, those files that were accessed/modified after this action won't be possibly identified with this method. Shortcuts are also a good clue here.
Your help has saved me hundreds of hours of internet surfing.
fblack61
Pau Lo

ASKER
Thank you interesting stuff.... Hate to ask but could you elaborate on shortcuts too in this context/scenario?
Pau Lo

ASKER
Are all the decent timeline tools commercial or are there any freebies?
rolh

Shortcuts are another monster, but they also provide you with dates, and as indicated in other comment I think, they point you to files that might be read from the USB device.
The best tool I know for timeline is SIFT (sans.org), it is free. But the idea behind this is to sort all kind of events, files, logs, etc based on date, so you can group them even manually in a spreadsheet.
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
Pau Lo

ASKER
Just to sweep up re sift can you specify a day ie if you want timeline for say 23 may 2012 does it do you a report? And how does it work on images of drives ie an e01 file, or can't it work on post mortem image files?
btan

it is the work of log2timeline-sift to work on the target image to have that "timeline report". a txt is generated as overall timeline for the target image analysed. it is then generated to csv (use l2t_process) and imported into excel. The search then start - rather manual but you dont expect much from open source :)

http://computer-forensics.sans.org/blog/2011/12/07/digital-forensic-sifting-super-timeline-analysis-and-creation
http://computer-forensics.sans.org/blog/2012/01/20/digital-forensic-sifting-targeted-timeline-creation-and-analysis

It is compatible with Expert Witness Format (E01), Advanced Forensic Format (AFF), and raw (dd) evidence formats.
https://ramslack.wordpress.com/2011/03/31/e01%E2%80%99s-and-sift-%E2%80%93-a-forbidden-love-affair%E2%80%A6/