Tracking files downloaded to USB post-event

I run a small company and a senior employee recently left. As I was about to reformat his computer I discovered that just prior to leaving the firm the employee accessed some very confidential and sensitive file locations on the network drive and then also accessed a removable drive labelled e:/. I discovered this via the recent places tab in windows explorer. It looks very much like sensitive and confidential files which would be very valuable and useful to the competition were downloaded. Obviously I feel like a bit of a fool because with a small team and a small emerging company I wanted to create an atmosphere of trust and so didn't have the heavy computer lock-down functions that larger firms have. Is there a way that I can see what the actual files were that were transferred from the network drive to the removable drive post-event, i.e. now? This event happened on the 12th September so 12 days ago. Thanks very much in advance for any help.

Kieran

Posted 2014-09-24T07:08:36.773

Reputation: 11

possible duplicate of How to find Windows 7 File Transfer History?

– DavidPostill – 2014-09-24T07:49:34.797

Thanks very much - the other post answered my question ... unfortunately not the answer I was hoping for, but still better to know. Apologies for posting a duplicate question this is my first time on a forum. – Kieran – 2014-09-24T07:52:01.800

Answers

Source: Windows Incident Response Blog Copying Files

Every now and again, I see the question of "where does Windows keep logs of files copied to a thumb drive, or CD/DVD?" Recently, I saw that question posted to several lists, as well as emailed directly to my inbox. ;-) As such, I thought it would be a good idea to address that issue here, and maybe get comments back from others with respect to how they might address this kind of situation.

In general, Windows does not maintain a record or log of files that are copied. Whether you use the command line "copy", or use drag-n-drop, there simply isn't a record on Windows systems that show, "on this date, user X copied this file from here to here". Using something like WMI, someone could surely write a file system monitor that looked for and correlated file accesses to file creations...but that might be complicated, as you would need to also alert on removable storage devices being attached to the system and then include those within your monitoring scheme. However, this model wouldn't take into account instances in which a user opened a file in, say, MS Word, and then chose "Save As..." from the File menu and saved the file to another location.

DavidPostill

Posted 2014-09-24T07:08:36.773

Reputation: 118 938