The scenario is about Business Secret and our client do worry about data leakage. They want to know whether Suspect copy those data to external hard drive or not. In fact it is not easy for Forensic guys to answer this question. Of course if you copy data from local drive to external drive and then access those files in external drive, there will be some LNK files created.

But if you only copy files and folders from local drive to external drive in Windows, you could not find any "Copy artifacts" in log files or registry...So how do we know if Suspect copy files and folders to external drive or not? As I know that the only way to do this is to monitor and record files and folders manipulation, and you could take a look at logs to see what's going on.

You could use commercial solutions like IP-Guard, etc.

It could also record copy operation to network drive.

There is a free solution called "Windows Explorer Tracker". As you could see that an external usb hard drive plug in at 15:31:15. Its driver letter was "G:" and the volume label was "HD-PNFU3". Then an Excel file "主要服務伺服器密碼一覽表.xls" created in "D:", and we could say that this file may come from "G:", the usb external hard drive. And then some files created in "D:\#1016" in a very short time, so we could say that those files also came from "G:".  Let's see what happen to that xls file as below:

1. At 15:40:46 that xls file being renamed to "123.xls".

2. At 15:40:59 a LNK file pointed to 123.xls created in "Recent". That means Suspect double click on that xls file and took a look at its content.

3. At 15:45:58 Suspect deleted "123.xls" in "D:\".

By the way, there is a file called "top-secret" created in "G:\" at 15:45:08. That means this file may come from local drives and being copied to usb external hard drive "G:\".

Now we just need to find out where that usb external hard drive is, and search for file "top-secret" and other files as above. Then we could know if Suspect did copy folders and files from local drives to external drives.

Track files and folders manipulation in Windows的更多相关文章

  1. Mac OS finder : 显示和隐藏文件[夹] show and hide files or folders

    Finder默认是不显示隐藏文件[夹]的,要显示出怎么办? 要显示的话,可以GUI(graphic user interface)和CLI(command line interface)两种方式 CL ...

  2. [转]COPY OR MOVE FILES AND FOLDERS USING OLE AUTOMATION

    本文转自:http://sqlindia.com/copy-move-files-folders-using-ole-automation-sql-server/ I love playing aro ...

  3. [Bash] Find Files and Folders with `find` in Bash

    find is a powerful tool that can not only find files but it can run a command on each matching file ...

  4. [Bash] Move and Copy Files and Folders with Bash

    In this lesson we’ll learn how to move and rename files (mv) and copy (cp) them. Move index.html to ...

  5. [Bash] View Files and Folders in Bash

    Sometimes when working at the command line, it can be handy to view a file’s contents right in the t ...

  6. Devexpress VCL Build v2013 vol 13.2.2 发布

    devexpress 2013 的第二个大版本出来了,一如既往, 基本上还是一个大补丁包.各位看官,自己看. What's New in 13.2.2 (VCL Product Line)   New ...

  7. dell R730 安装windwos 2008 R2在windows loading files...完成后屏幕无信号(iDrac绿屏)

    dell R730 安装windwos 2008 R2在windows loading files...完成后,Starting Windows时屏幕无信号(iDrac绿屏) 解决方法: F2  进行 ...

  8. Scott Hanselman's 2014 Ultimate Developer and Power Users Tool List for Windows -摘自网络

    Everyone collects utilities, and most folks have a list of a few that they feel are indispensable.  ...

  9. VC++6.0在Win7以上系统上Open或Add to Project files崩溃问题 解决新办法

    崩溃原因是和office高版本冲突,比如我64位win7装了64位office2013及visio就遇到了这个问题(我很纳闷,记得重装系统前装的是32位office2013及visio就未曾遇到该问题 ...

随机推荐

  1. Gatling的进阶一

    转载:http://www.51testing.com/html/10/26810-852966.html 首先 抄袭一个Gatling的介绍 Gatling是一款基于Scala 开发的高性能服务器性 ...

  2. tomcat 部署多个项目的技巧

    方法一.在tomcat的根目录下的 conf文件夹下的server.xml文件中的<Host>标签中加入: //docBase: 项目的webRoot path:访问路径 reloadab ...

  3. sql server中的锁 事务锁 更新锁 保持锁 共享锁 你知道吗?

    锁定数据库的一个表 SELECT * FROM table WITH (HOLDLOCK) 注意: 锁定数据库的一个表的区别 SELECT * FROM table WITH (HOLDLOCK) 其 ...

  4. C++学习4

    在C++中,定义函数时可以给参数指定一个默认的初始值.调用函数时,可以省略有默认值的参数.也就是说,如果用户指定了参数的值,那么就使用用户指定的值,否则使用参数的默认值. C++规定,默认参数只能放在 ...

  5. 并发之 volatile

    使用volatile: 每次读取volatile变量的值,都强制从主存读取最新的值. (每次修改volatile变量都会同步到主存中) i++ 之所以不能保证线程安全,是因为volatile不能解决非 ...

  6. 四个排名函数(row_number、rank、dense_rank和ntile)的比较

    排名函数是SQL Server2005新加的功能.在SQL Server2005中有如下四个排名函数: 1.row_number 2.rank 3.dense_rank 4.ntile 下面分别介绍一 ...

  7. DELPHI SOKET 编程(使用TServerSocket和TClientSocket) 转

    http://www.cnblogs.com/findumars/p/5272658.html   本文采用delphi7+TServerSocket+TClientSocket; 笔者在工作中遇到对 ...

  8. 【原】Nginx添加Content-MD5头部压测分析

    如需转载,必须注明原文地址,请尊重作者劳动成果. http://www.cnblogs.com/lyongerr/p/5048464.html 本文介绍了webbenck安装,但是最后使用的是ab工具 ...

  9. Html5——WEB(客户端)数据存储

    在客户端存储数据 HTML5 提供了两种在客户端存储数据的新方法: localStorage - 没有时间限制的数据存储 sessionStorage - 针对一个 session 的数据存储 之前, ...

  10. 医失眠灵验方--五味子50g 茯神50g 合欢花15g 法半夏15g

    方药:五味子50g  茯神50g  合欢花15g  法半夏15g  水煎服    主治:失眠健忘    此方为已故名老中医李培生之验方,用于临床治疗失眠健忘症,疗效显著,其主药为五味子,滋阴和阳,敛阳 ...