USB data dragged

pma111
pma111 used Ask the Experts™
on
forensics experts,

Am I right in thinking on an XP machine you wont get a list of files/what data was dragged onto a USB thumb drive, and at absolute best you'll get some sort of audit trail the USB was plugged into the machine, but no clue what was dragged onto that drive?

Does the same extend to CD/DVD, i.e. no real audit log of what data was saved/burnt to them? In terms of files...
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Yes you are correct. the USB connection would be logged in the Windows logs.
Same for CD\DVD
btanExec Consultant
Distinguished Expert 2018
Commented:
Same apply for external media storage unless the application used to do the export create the temp files. E.g if burning CD, the log history may have remanence but not 100% guarantee as it is appl specific. I remember a version of Roxio, I believe, would ask it you wanted to keep the profile settings after you burned a bunch of files to CD.
Acronis in Gartner 2019 MQ for datacenter backup

It is an honor to be featured in Gartner 2019 Magic Quadrant for Datacenter Backup and Recovery Solutions. Gartner’s MQ sets a high standard and earning a place on their grid is a great affirmation that Acronis is delivering on our mission to protect all data, apps, and systems.

Author

Commented:
I assume now temp files created during dragging data to a usb? Ie dragging it on to the drive letter in my computer on xp

Author

Commented:
Are there any tools to see what temp files werecreated when trying and recreate certain user actions?
btanExec Consultant
Distinguished Expert 2018

Commented:
not necessary as there can be delayed write and write through configured.
May be at %USERPROFILE%\AppData\Local\Temp

I was pulling out my thoughts into even the s/w API used such as this
http://msdn.microsoft.com/en-us/library/windows/desktop/aa363858(v=vs.85).aspx#caching_behavior

Specifying the FILE_ATTRIBUTE_TEMPORARY attribute causes file systems to avoid writing data back to mass storage if sufficient cache memory is available, because an application deletes a temporary file after a handle is closed. In that case, the system can entirely avoid writing the data. Although it does not directly control data caching in the same way as the previously mentioned flags, the FILE_ATTRIBUTE_TEMPORARY attribute does tell the system to hold as much as possible in the system cache without writing and therefore may be of concern for certain applications.

Creating and Using a Temporary File
http://msdn.microsoft.com/en-us/library/windows/desktop/aa363875(v=vs.85).aspx

More info on caching
http://msdn.microsoft.com/en-us/library/windows/desktop/aa364218(v=vs.85).aspx
btanExec Consultant
Distinguished Expert 2018

Commented:

Author

Commented:
But as for a tool that shows what tmp files were created in real time no such tool out their? Ie if I open a docx I know that creates a tmp file but is there any tool that records what tmp files were created based on what user action?
btanExec Consultant
Distinguished Expert 2018

Commented:
Doubt there is any publicly but unless you really have some sandbix environment for those application to track. Real time capturing looks to me like surveillance workstation software but even then not sure it is really granular to track these tcp
Commented:
If you have access to the computer then files can be traced.

Determine the full timeline (SIFT is great for this) and check the "Last Accessed" date of the files after the USB was connected. Even though it is not as conclusive as one would wish, you'll have a very good approach.
You may be able to find references to the files placed on the thumbdrive in the index.dat history. Look for entries that begin with
file:///

You can either search the entire drive for this string, which could find deleted or partial entries, or you can use a web history tool which puts the available history in a nice spreadsheet format. One such tool is Mandiant's web historian. http://www.mandiant.com/resources/download/web-historian

This alone wouldn't be proof of what was done, but if a reference to a drive letter other than C: is found at the same time a USB drive was plugged in, you could potentially gather additional info to tie the two together.

Colin Cree developed a nice presentation on tracking USB devices for the 2011 CEIC conference. It contains both Windows 7 and Win XP artifacts. It is available on the Guidance Support Portal at
https://support.guidancesoftware.com/forum/downloads.php?do=file&id=1140

There is one more place you can look which was recently documented by Mandiant. If you think there were executable files on the drive, the names and possibly some time information may turn up in the appcompatcache key. http://fred.mandiant.com/Whitepaper_ShimCacheParser.pdf

From page 4 of the whitepaper "Files can also be added to the cache that has not been executed. For example, when browsing a directory interactively, explorer.exe will attempt to parse executables within the directory and while doing so, add the file metadata to the Shim Cache using the Application Experience Lookup Service."

Finally, you may find the following practical exam interesting in that some of the commenters point out additional artifacts that may exist in a scenario that may be similar to yours:
http://www.forensickb.com/2008/01/forensic-practical-2.html

Author

Commented:
Rollh could you go into a little more detail for the layman. And very interesting ken and breadtan will research your links with interest.

Commented:
Sure pma... having a timeline means you already have in just one place (commonly a spreadsheet) all the actions that occurred in the computer and also all the files in the system sorted by date, including Event Logs, History files (index.dat, antivirus logs, other app logs, etc.).
This timeline should consequently have the time the USB device was connected and disconnected.

When a file is dragged, its last access date changes. So, if you can identify the dates while the USB was connected then you have a strong assumption for your case.
Obviously, those files that were accessed/modified after this action won't be possibly identified with this method. Shortcuts are also a good clue here.

Author

Commented:
Thank you interesting stuff.... Hate to ask but could you elaborate on shortcuts too in this context/scenario?

Author

Commented:
Are all the decent timeline tools commercial or are there any freebies?

Commented:
Shortcuts are another monster, but they also provide you with dates, and as indicated in other comment I think, they point you to files that might be read from the USB device.
The best tool I know for timeline is SIFT (sans.org), it is free. But the idea behind this is to sort all kind of events, files, logs, etc based on date, so you can group them even manually in a spreadsheet.

Author

Commented:
Just to sweep up re sift can you specify a day ie if you want timeline for say 23 may 2012 does it do you a report? And how does it work on images of drives ie an e01 file, or can't it work on post mortem image files?
btanExec Consultant
Distinguished Expert 2018

Commented:
it is the work of log2timeline-sift to work on the target image to have that "timeline report". a txt is generated as overall timeline for the target image analysed. it is then generated to csv (use l2t_process) and imported into excel. The search then start - rather manual but you dont expect much from open source :)

http://computer-forensics.sans.org/blog/2011/12/07/digital-forensic-sifting-super-timeline-analysis-and-creation
http://computer-forensics.sans.org/blog/2012/01/20/digital-forensic-sifting-targeted-timeline-creation-and-analysis

It is compatible with Expert Witness Format (E01), Advanced Forensic Format (AFF), and raw (dd) evidence formats.
https://ramslack.wordpress.com/2011/03/31/e01%E2%80%99s-and-sift-%E2%80%93-a-forbidden-love-affair%E2%80%A6/

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial