Link to home
Start Free TrialLog in
Avatar of Pau Lo
Pau Lo

asked on

USB data dragged

forensics experts,

Am I right in thinking on an XP machine you wont get a list of files/what data was dragged onto a USB thumb drive, and at absolute best you'll get some sort of audit trail the USB was plugged into the machine, but no clue what was dragged onto that drive?

Does the same extend to CD/DVD, i.e. no real audit log of what data was saved/burnt to them? In terms of files...
ASKER CERTIFIED SOLUTION
Avatar of Tony Giangreco
Tony Giangreco
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Same for CD\DVD
SOLUTION
Avatar of btan
btan

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of Pau Lo
Pau Lo

ASKER

I assume now temp files created during dragging data to a usb? Ie dragging it on to the drive letter in my computer on xp
Avatar of Pau Lo

ASKER

Are there any tools to see what temp files werecreated when trying and recreate certain user actions?
not necessary as there can be delayed write and write through configured.
May be at %USERPROFILE%\AppData\Local\Temp

I was pulling out my thoughts into even the s/w API used such as this
http://msdn.microsoft.com/en-us/library/windows/desktop/aa363858(v=vs.85).aspx#caching_behavior

Specifying the FILE_ATTRIBUTE_TEMPORARY attribute causes file systems to avoid writing data back to mass storage if sufficient cache memory is available, because an application deletes a temporary file after a handle is closed. In that case, the system can entirely avoid writing the data. Although it does not directly control data caching in the same way as the previously mentioned flags, the FILE_ATTRIBUTE_TEMPORARY attribute does tell the system to hold as much as possible in the system cache without writing and therefore may be of concern for certain applications.

Creating and Using a Temporary File
http://msdn.microsoft.com/en-us/library/windows/desktop/aa363875(v=vs.85).aspx

More info on caching
http://msdn.microsoft.com/en-us/library/windows/desktop/aa364218(v=vs.85).aspx
Avatar of Pau Lo

ASKER

But as for a tool that shows what tmp files were created in real time no such tool out their? Ie if I open a docx I know that creates a tmp file but is there any tool that records what tmp files were created based on what user action?
Doubt there is any publicly but unless you really have some sandbix environment for those application to track. Real time capturing looks to me like surveillance workstation software but even then not sure it is really granular to track these tcp
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of Pau Lo

ASKER

Rollh could you go into a little more detail for the layman. And very interesting ken and breadtan will research your links with interest.
Sure pma... having a timeline means you already have in just one place (commonly a spreadsheet) all the actions that occurred in the computer and also all the files in the system sorted by date, including Event Logs, History files (index.dat, antivirus logs, other app logs, etc.).
This timeline should consequently have the time the USB device was connected and disconnected.

When a file is dragged, its last access date changes. So, if you can identify the dates while the USB was connected then you have a strong assumption for your case.
Obviously, those files that were accessed/modified after this action won't be possibly identified with this method. Shortcuts are also a good clue here.
Avatar of Pau Lo

ASKER

Thank you interesting stuff.... Hate to ask but could you elaborate on shortcuts too in this context/scenario?
Avatar of Pau Lo

ASKER

Are all the decent timeline tools commercial or are there any freebies?
Shortcuts are another monster, but they also provide you with dates, and as indicated in other comment I think, they point you to files that might be read from the USB device.
The best tool I know for timeline is SIFT (sans.org), it is free. But the idea behind this is to sort all kind of events, files, logs, etc based on date, so you can group them even manually in a spreadsheet.
Avatar of Pau Lo

ASKER

Just to sweep up re sift can you specify a day ie if you want timeline for say 23 may 2012 does it do you a report? And how does it work on images of drives ie an e01 file, or can't it work on post mortem image files?
it is the work of log2timeline-sift to work on the target image to have that "timeline report". a txt is generated as overall timeline for the target image analysed. it is then generated to csv (use l2t_process) and imported into excel. The search then start - rather manual but you dont expect much from open source :)

http://computer-forensics.sans.org/blog/2011/12/07/digital-forensic-sifting-super-timeline-analysis-and-creation
http://computer-forensics.sans.org/blog/2012/01/20/digital-forensic-sifting-targeted-timeline-creation-and-analysis

It is compatible with Expert Witness Format (E01), Advanced Forensic Format (AFF), and raw (dd) evidence formats.
https://ramslack.wordpress.com/2011/03/31/e01%E2%80%99s-and-sift-%E2%80%93-a-forbidden-love-affair%E2%80%A6/