Ethical Hacking Training at InfoSec Institute

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Computer Forensics Computer-Forensics
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Tracking moved files?

from [Admin.mmm] Network Security [Permanent Link]
Subject: RE: Tracking moved files?
Date: Mon, 8 May 2006 21:10:40 +1000 
I vaguely remember something about a DLT system in w2k.
It tracks the files for indexing purposes and creates a hidden log file.

I dragged this off the MS site:

"The DLT Client service monitors activity on NTFS volumes and stores
maintenance information in a file called Tracking.log, which is located in a
hidden folder called System Volume Information at the root of each volume.
This folder is protected by permissions that allow only the system to have
access to it. The folder is also used by other Windows services, such as
Indexing Service."

If you could log in as system you may glean something from there.

J


-----Original Message-----
From: MikeMackrill@BC.com [mailto:MikeMackrill@BC.com] 
Sent: Monday, May 08, 2006 3:51 AM
To: filbanks@gmail.com; forensics@securityfocus.com
Subject: Re: Tracking moved files?

Did you check the recent items to look for a reference to the file on the
thumb drive?

All I could think of on a Sunday morning.

Mike Mackrill

-----Original Message-----
From: Serge Jorgensen <filbanks@gmail.com>
To: forensics@securityfocus.com <forensics@securityfocus.com>
Sent: Thu May 04 10:16:08 2006
Subject: Tracking moved files?

Hello!

I'm try to show that files were copied and/or moved off a W2K drive
onto a USB stick. Obviously the registry and setupapi files show the
USB installation info - but I can't find the log file (or other
method?) that Windows must use to track files being moved and copied.

I don't have the USB device - which would make this a whole lot easier.

Any ideas would be great.

Thanks.

George
[More messages with this same subject...]


<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Tracking moved files?, MikeMackrill
Next by Date:  RE: Tracking moved files?, Greg Kelley
Previous by Thread:  Re: Tracking moved files?, MikeMackrill
Next by Thread:  RE: Tracking moved files?, Greg Kelley
Indexes:  [Date] [Thread] [Top] [All Lists]