The scenario is about Business Secret and our client do worry about data leakage. They want to know whether Suspect copy those data to external hard drive or not. In fact it is not easy for Forensic guys to answer this question. Of course if you copy data from local drive to external drive and then access those files in external drive, there will be some LNK files created.

But if you only copy files and folders from local drive to external drive in Windows, you could not find any "Copy artifacts" in log files or registry...So how do we know if Suspect copy files and folders to external drive or not? As I know that the only way to do this is to monitor and record files and folders manipulation, and you could take a look at logs to see what's going on.

You could use commercial solutions like IP-Guard, etc.

It could also record copy operation to network drive.

There is a free solution called "Windows Explorer Tracker". As you could see that an external usb hard drive plug in at 15:31:15. Its driver letter was "G:" and the volume label was "HD-PNFU3". Then an Excel file "主要服務伺服器密碼一覽表.xls" created in "D:", and we could say that this file may come from "G:", the usb external hard drive. And then some files created in "D:\#1016" in a very short time, so we could say that those files also came from "G:".  Let's see what happen to that xls file as below:

1. At 15:40:46 that xls file being renamed to "123.xls".

2. At 15:40:59 a LNK file pointed to 123.xls created in "Recent". That means Suspect double click on that xls file and took a look at its content.

3. At 15:45:58 Suspect deleted "123.xls" in "D:\".

By the way, there is a file called "top-secret" created in "G:\" at 15:45:08. That means this file may come from local drives and being copied to usb external hard drive "G:\".

Now we just need to find out where that usb external hard drive is, and search for file "top-secret" and other files as above. Then we could know if Suspect did copy folders and files from local drives to external drives.

Track files and folders manipulation in Windows的更多相关文章

  1. Mac OS finder : 显示和隐藏文件[夹] show and hide files or folders

    Finder默认是不显示隐藏文件[夹]的,要显示出怎么办? 要显示的话,可以GUI(graphic user interface)和CLI(command line interface)两种方式 CL ...

  2. [转]COPY OR MOVE FILES AND FOLDERS USING OLE AUTOMATION

    本文转自:http://sqlindia.com/copy-move-files-folders-using-ole-automation-sql-server/ I love playing aro ...

  3. [Bash] Find Files and Folders with `find` in Bash

    find is a powerful tool that can not only find files but it can run a command on each matching file ...

  4. [Bash] Move and Copy Files and Folders with Bash

    In this lesson we’ll learn how to move and rename files (mv) and copy (cp) them. Move index.html to ...

  5. [Bash] View Files and Folders in Bash

    Sometimes when working at the command line, it can be handy to view a file’s contents right in the t ...

  6. Devexpress VCL Build v2013 vol 13.2.2 发布

    devexpress 2013 的第二个大版本出来了,一如既往, 基本上还是一个大补丁包.各位看官,自己看. What's New in 13.2.2 (VCL Product Line)   New ...

  7. dell R730 安装windwos 2008 R2在windows loading files...完成后屏幕无信号(iDrac绿屏)

    dell R730 安装windwos 2008 R2在windows loading files...完成后,Starting Windows时屏幕无信号(iDrac绿屏) 解决方法: F2  进行 ...

  8. Scott Hanselman's 2014 Ultimate Developer and Power Users Tool List for Windows -摘自网络

    Everyone collects utilities, and most folks have a list of a few that they feel are indispensable.  ...

  9. VC++6.0在Win7以上系统上Open或Add to Project files崩溃问题 解决新办法

    崩溃原因是和office高版本冲突,比如我64位win7装了64位office2013及visio就遇到了这个问题(我很纳闷,记得重装系统前装的是32位office2013及visio就未曾遇到该问题 ...

随机推荐

  1. Redirect 原理

    mvc .net 中,从服务器端跳转页面有很多方法 有些不会改变浏览器地址栏的地址,这个好理解,mvc本身的机制就是action的名字不一定是view的名字 我们请求的不是文件名,在action中我们 ...

  2. STM32中断控制及优先级设置

    M3用8bits而STM32用高四位来表示抢占和子优先级:bit=1表示抢占:bit=0表示非抢占即子优先级:所以共有5中方案分组: 分组 Bit7 Bit6 Bit5 Bit4 说明: 第0组   ...

  3. Introduction to ASP.NET Web Programming Using the Razor Syntax (C#)

    1, http://www.asp.net/web-pages/overview/getting-started/introducing-razor-syntax-c 2, Introduction ...

  4. 内联函数inline

    1:使用inline函数的时候,必须使函数体和inline说明结合一起,否则编译器将视他为普通函数处理: false: inline void Coord::setcoord(int a,int b) ...

  5. AOP 下的权限控制实现

    摘要  面向方面的编程(AOP)是一种新的编程技术,它弥补了面向对象的编程(OOP)在跨越模块行为上的不足.AOP 引进了 Aspect,它将影响多个类的行为封装到一个可重用模块中,它允许程序员对横切 ...

  6. dedecms v5.7 sp1 给栏目添加缩略图功能

    一.给数据库添加字段typeimg 如图:   二 . 修改 dede/catalog_add.php 找到 $in_query = "INSERT INTO `#@__arctype`(r ...

  7. 98、EditText 按键盘查询 触发事件

    只需要在XML在输入框中加入Android:imeOptions=”actionSearch”,调用软键盘时,回车键就会显示搜索二字. editSearch.setOnEditorActionList ...

  8. 常用开源Jabber(XMPP) IM服务器介绍(转)

      1. Openfire (Wildfire) 3.x授权: GPL or 商用操作系统平台:所有(使用Java开发)XMPP Jabber 协议实现情况:98%Tim 评价:安装和使用非常简单,安 ...

  9. Java SE 第十讲---面向对象特征之封装2

    1.类中的属性又叫做成员变量(member variable),属性用英文表示为property或者attitude 2.对象(Object)又叫做实例(Instance),生成一个对象的过程又叫做类 ...

  10. Java UDP网络编程 - 最简单示例

    UDP也是网络通讯中的一个重要协议,与TCP区别可参见浅谈TCP/IP 和 UDP的区别,本文就对Java UDP通讯做一个简单例子介绍 服务端: package wyf; import java.i ...