Re: Tracking moved files?

LNK file analysis will do the trick, but you need to use a forensic method to 
extract and analyze them.  There are embedded dates within these LNK files that 
you can use, also looking through the registry under the USBSTOR for thumb 
drives, matching to drive letters might provide some clues.

Jim

Jim Butterworth, EnCE, GCIA
Manager, Professional Services, Southwest

*** Sent while Mobile ***




-----Original Message-----
From: Bart Somers <zon4jou@gmail.com>
To: Serge Jorgensen <filbanks@gmail.com>
CC: forensics@securityfocus.com <forensics@securityfocus.com>
Sent: Tue May 09 02:52:00 2006
Subject: Re: Tracking moved files?

Besides the installation info, all files copied or moved to the
removable storage should have been accessed (to read) or modified
(remove). So i think analyzing the access-times from your
source-filesystem should show you accessed and removed files.
This is off course not water-tight, as i can plugin an USB-device,
work on a lot of files (without doing something with the USB-device)
and remoce the device, but at least it's a start.

Best regards,

Bart Somers.

On 5/4/06, Serge Jorgensen <filbanks@gmail.com> wrote:
> Hello!
>
> I'm try to show that files were copied and/or moved off a W2K drive
> onto a USB stick. Obviously the registry and setupapi files show the
> USB installation info - but I can't find the log file (or other
> method?) that Windows must use to track files being moved and copied.
>
> I don't have the USB device - which would make this a whole lot easier.
>
> Any ideas would be great.
>
> Thanks.
>
> George