How to detect if files were saved or copied to a USB drive?

This will depend entirely on what logging you have enabled. It it's easy after the event to tell you to log all file copies etc, but if you weren't logging it, you won't be able to retrieve that info.

First, try to get the information about the devices that were plugged into the computer from the following locations

C:\Windows\inf\setupapi.dev

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\USBSTOR 
HKEY_LOCAL_MACHINE\SYSTEM\MountedDevices
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\USB

Be very particular when checking the Mounted devices key as this information will be required in future analysis

Analyse NTUSER.DAT file associated to that particular user in question. Go to NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2 and search for the GUID of the device.

Module II:

If you use Encase or FTK search for key words (name of the file in question), analyse the .lnk files associated with the keyword. Parse the .lnk using FTK or Encase which will give you the path and the time stamp. If the path refers to a USB then try to match user's SID, USB serial number and the time stamp information.

You can even analyse MFT records and $Logfile which give you more information about the file structure.

Note: .lnk files will be created only the suspect opens the file in question from the USB drive.

How to detect if files were saved or copied to a USB drive?

Tags:

Windows

Usb Drive

Forensics

Related

Recent Posts