8

How can I find out if files from my computer were written/copied/moved to a USB storage device? I want to know if there is a solution that would work in a system that has not got any monitoring/logging of USB activity explicitly enabled and after the files have already been written.

I have already used software which would reads the information from registry location

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR

But it just tells the vendor name, time connected and other artifacts.

NULLZ
  • 11,426
  • 17
  • 77
  • 111
Saladin
  • 1,547
  • 3
  • 14
  • 23
  • 1
    Not sure if it directly answers your question, but you can get a copy of [Usb Security Suite](http://www.dynamikode.com/products/usb-security-suite/) and it logs everything happened on usb drives like copy, rename, delete etc. The point is that, it only shows activities happened AFTER installation of the tool :( –  Apr 18 '13 at 05:24

3 Answers3

14

This will depend entirely on what logging you have enabled. It it's easy after the event to tell you to log all file copies etc, but if you weren't logging it, you won't be able to retrieve that info.

Rory Alsop
  • 61,367
  • 12
  • 115
  • 320
  • yes i know you have to enable local auditing on files. But there has to be some other way. The information must be saved in some meta-data? – Saladin Oct 27 '12 at 16:24
  • 4
    No. Copying from a file is not typically saved on a windows system unless you have enabled logging or auditing. – Rory Alsop Oct 27 '12 at 19:57
  • Yeah thats what i said; but I mean what about encase and helix big forensic technologies? – Saladin Oct 28 '12 at 14:25
  • 4
    EnCase and Helix can help you retrieve all the information you have on a disk, but they can't make that information from nothing. Sorry to disappoint you. – Rory Alsop Oct 28 '12 at 16:23
  • I disagree you seems to put all your hope in windows auditing and like if there there is no place in computer memory or hard-disk where such attributes (as folders, files) can be copied. – Saladin Oct 29 '12 at 17:11
  • 5
    I used to run a forensic team, and while there are a lot of good pieces of info you can grab, with dating windows logging you are very limited in finding out what someone has done with a file if they copied it onto a USB stick. You can hunt down command history, but it is limited. Seriously, this info is just not stored anywhere by default. This is why we encourage people to enable logging and auditing. – Rory Alsop Oct 29 '12 at 18:01
7

First, try to get the information about the devices that were plugged into the computer from the following locations

C:\Windows\inf\setupapi.dev

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\USBSTOR 
HKEY_LOCAL_MACHINE\SYSTEM\MountedDevices
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\USB

Be very particular when checking the Mounted devices key as this information will be required in future analysis

Analyse NTUSER.DAT file associated to that particular user in question. Go to NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2 and search for the GUID of the device.

Module II:

If you use Encase or FTK search for key words (name of the file in question), analyse the .lnk files associated with the keyword. Parse the .lnk using FTK or Encase which will give you the path and the time stamp. If the path refers to a USB then try to match user's SID, USB serial number and the time stamp information.

You can even analyse MFT records and $Logfile which give you more information about the file structure.

Note: .lnk files will be created only the suspect opens the file in question from the USB drive.

jonsca
  • 343
  • 1
  • 6
  • 21
Fred
  • 71
  • 1
-2

Update 9-21-2013

If you are still looking into this, or want to go back to it, then you might be interested in listening to the CyberSpeak Podcast to hear about one forensic investigator's/firm's research. I suggest you listen to the whole episode, but if you want to spot-check its relevance then I think that around 22:00/23:00 they say a few points that are relevant to your endeavor.

The tool, called Registry Recon, is a commercial tool and I can not vouch for it since I have not yet used it myself. Pursue that at your own risk; however, I will point out the bullet-point claim in the release notes.

"[..] Reports USB Storage Devices (see when they were attached over time!) and RecentDocs"

Clarifications Regarding the Original Post

I have left the original post exactly as it was, but would like to say that I never meant to bash any commercial product nor do I intend to promote myself or any third party products I happen to mention.

I do not apologize for my sense of humor, but I do regret the possibility that I offended anyone. Not that is important what you think of me; rather it is important for me to respect the culture and demeanor of this forum. I do respect the community here and for that reason I apologize.

Thank you again, @Gilles, for your comments.

Original Post

I looked at a commercial offering called "Spector 360" that was talking about this exact scenario. As you might imagine, it required agents to be installed onto each monitored computer. Honestly, I was not happy with the system impact that the agents had on system performance. Enabling auditing/logging also has an impact on system performance. This is to be expected from pretty much any solution that is available to address the scenario you are describing.

Before I came across Spector 360, I knew of a Remote Administration Tool (RAT) that was being used to a small extent by criminals. The company that creates it is legit and was not necessarily responsible for the criminals actions; my point is that there are a lot of RAT/Spyware/Monitoring applications that will provide the functionality needed to accomplish what you desire. You should expect friction from AV installed on those systems though, no matter how legit the company that authored the application. They are all capable of being used malevolently.

As for forensically looking for evidence... maybe, but that is a long shot. I really wouldn't count on it. There would be artifacts created if the system conditions were right. Those artifacts would also be eroded according to the system conditions, usage, and time since the event.

Are you trying to determine if you have had some files stolen, or are you just wondering? If it is the latter, then you should really turn your attention towards the logging/auditing solutions. If you hand has been forced, you should just kill whom ever you suspect of stealing the files before they can distribute/deliver them. Burring their living space and surrounding areas to the ground would give a little more assurance that any stolen data was destroyed.

Of course, my last suggestion is illegeal and I am only kidding about actually carrying out such drastic measures. If you think you have had a security breach and want to talk it through with someone, you can contact me and I'll spend sometime helping you as much as I can.

Community
  • 1
GuyHoozdis
  • 125
  • 3
  • 1
    While there are good things in your answer, a lot of it comes out as bashing a competitor product, with a bit of advertisement at the end (which isn't against the rule, but comes out a little odd, considering that this is a [questions and answers](http://security.stackexchange.com/about), not a discussion forum). The hyperbole might put some readers off as well. This could explain why your answer was downvoted. I suggest toning it down a bit. – Gilles 'SO- stop being evil' Oct 29 '12 at 09:31
  • @GuyHoozdis I really admire your advice on the subject. It was thorough and very informative. In my case (can't disclose it openly) but it relates to the high possibility of information copied from a sensitive machine into a USB-device. The victim machine in this case ; was not forensically sound or prepared to detect such instances occurrences. I'm not concerned of evidence and its admissibility issues I'm hoping someone could help me get some clues / evidence of this activity happening in the system. – Saladin Oct 29 '12 at 17:17
  • Thank you for your feedback and insight @Gilles- I appreciate your candor. Bashing was not my intention nor was self-promotion; however, I'm sure that you are right because if you perceived it that way then many others did too. – GuyHoozdis Sep 21 '13 at 17:01
  • @Saladin, I'm glad you found some utility in my ramblings. I did come across some new research in this area a few months ago- if my memory serves me. It might be too late if I understand what "its admissibility issues" implies about your situation; then again, this research I'm referring to is new and if there is reason/opportunity for you to appeal any previous decisions I think this information would be useful. I'll have to go look for an exact link, but I came across the information in a CyberSpeak podcast. You can search for yourself if this is still relevant. – GuyHoozdis Sep 21 '13 at 17:12
  • I just took a quick look and here are some links that reference what I was talking about I suggest you listen to the whole episode, but I think around 22:00-25:00 will briefly mention how this relates to your situation. http://cyberspeak.libsyn.com/cyber-speak-feb-18-2013-recon-mission The Tool, Registry Recon. It is a commercial tool and I have not yet used it myself (pursue it at your own risk). I want to point out claim about USB devices in the release notes that is relevant to your situation; "see when they were attached over time" http://arsenalrecon.com/apps/#newReleaseNotes – GuyHoozdis Sep 21 '13 at 21:51