The scenario is about Business Secret and our client do worry about data leakage. They want to know whether Suspect copy those data to external hard drive or not. In fact it is not easy for Forensic guys to answer this question. Of course if you copy data from local drive to external drive and then access those files in external drive, there will be some LNK files created.

But if you only copy files and folders from local drive to external drive in Windows, you could not find any "Copy artifacts" in log files or registry...So how do we know if Suspect copy files and folders to external drive or not? As I know that the only way to do this is to monitor and record files and folders manipulation, and you could take a look at logs to see what's going on.

You could use commercial solutions like IP-Guard, etc.

It could also record copy operation to network drive.

There is a free solution called "Windows Explorer Tracker". As you could see that an external usb hard drive plug in at 15:31:15. Its driver letter was "G:" and the volume label was "HD-PNFU3". Then an Excel file "主要服務伺服器密碼一覽表.xls" created in "D:", and we could say that this file may come from "G:", the usb external hard drive. And then some files created in "D:\#1016" in a very short time, so we could say that those files also came from "G:".  Let's see what happen to that xls file as below:

1. At 15:40:46 that xls file being renamed to "123.xls".

2. At 15:40:59 a LNK file pointed to 123.xls created in "Recent". That means Suspect double click on that xls file and took a look at its content.

3. At 15:45:58 Suspect deleted "123.xls" in "D:\".

By the way, there is a file called "top-secret" created in "G:\" at 15:45:08. That means this file may come from local drives and being copied to usb external hard drive "G:\".

Now we just need to find out where that usb external hard drive is, and search for file "top-secret" and other files as above. Then we could know if Suspect did copy folders and files from local drives to external drives.

Track files and folders manipulation in Windows的更多相关文章

  1. Mac OS finder : 显示和隐藏文件[夹] show and hide files or folders

    Finder默认是不显示隐藏文件[夹]的,要显示出怎么办? 要显示的话,可以GUI(graphic user interface)和CLI(command line interface)两种方式 CL ...

  2. [转]COPY OR MOVE FILES AND FOLDERS USING OLE AUTOMATION

    本文转自:http://sqlindia.com/copy-move-files-folders-using-ole-automation-sql-server/ I love playing aro ...

  3. [Bash] Find Files and Folders with `find` in Bash

    find is a powerful tool that can not only find files but it can run a command on each matching file ...

  4. [Bash] Move and Copy Files and Folders with Bash

    In this lesson we’ll learn how to move and rename files (mv) and copy (cp) them. Move index.html to ...

  5. [Bash] View Files and Folders in Bash

    Sometimes when working at the command line, it can be handy to view a file’s contents right in the t ...

  6. Devexpress VCL Build v2013 vol 13.2.2 发布

    devexpress 2013 的第二个大版本出来了,一如既往, 基本上还是一个大补丁包.各位看官,自己看. What's New in 13.2.2 (VCL Product Line)   New ...

  7. dell R730 安装windwos 2008 R2在windows loading files...完成后屏幕无信号(iDrac绿屏)

    dell R730 安装windwos 2008 R2在windows loading files...完成后,Starting Windows时屏幕无信号(iDrac绿屏) 解决方法: F2  进行 ...

  8. Scott Hanselman's 2014 Ultimate Developer and Power Users Tool List for Windows -摘自网络

    Everyone collects utilities, and most folks have a list of a few that they feel are indispensable.  ...

  9. VC++6.0在Win7以上系统上Open或Add to Project files崩溃问题 解决新办法

    崩溃原因是和office高版本冲突,比如我64位win7装了64位office2013及visio就遇到了这个问题(我很纳闷,记得重装系统前装的是32位office2013及visio就未曾遇到该问题 ...

随机推荐

  1. [实变函数]4.2 Egrov 定理

    1 一致收敛很重要, 但可惜的是很多时候不一致收敛. 比如 $$\bex f_n(x)=x^n\to f(x)=\sedd{\ba{ll} 0,&x\in [0,1)\\ 1,&x=1 ...

  2. Redis各种数据结构内存占用测试

    启动时:(redis为空) 插入数据量都为100W(100W个key或者list中100W个值,或者1000个key,每个key中1000个值) String Key value # Memory u ...

  3. ice介绍 z

    什么是ICE(Internet Communications Engine)呢,它是由Zeroc公司开 发的一套开源中间件系统,与DCOM,CORBA,WEB SERVICEDcom类似,支持RPC( ...

  4. doc2vec 利用gensim 生成文档向量

    利用gensim 直接生成文档向量 def gen_d2v_corpus(self, lines): with open("./data/ques2_result.txt", &q ...

  5. c#生成缩略图

    publicstaticvoidGenThumbnail(Image imageFrom,stringpathImageTo,intwidth,intheight)         {         ...

  6. 20145305 《Java程序设计》第8周学习总结

    教材学习内容总结 1.NIO使用频道来衔接数据节点,可以设定缓冲区容量,在缓冲区中对感兴趣的数据区块进行标记,提供clear().rewind().flip().compact()等高级操作 2.想要 ...

  7. 20145305解佳玲 《Java程序设计》第1周学习总结

    教材学习内容总结 第一章 Java平台概论 1.先了解了JAVA的历史 2.Java三大平台:Java SE.Java EE与Java ME 3.Java SE的四个组成部分:JVM.JRE.JDK与 ...

  8. weblogic诊断案例-AdminServer平均1-2周崩溃

    OS2台:RH5.5 64位 WEBLOGIC VERSION:9.2.3 JDK:1.5 64位 weblogic一个管理服务,4个受管(2台服务器做集群,每台服务器2个受管).应用部署后通过一个月 ...

  9. Hive分布式的数据仓库

    1.hive介绍 hive是一个数据仓库的解决方案,它的数据存储依赖于HDFS,数据结算依赖于MR,也就是说,hive就是一个在数据仓库的服务,它只需要安装到一台普通的PC上即可,仅仅对外提供SQL服 ...

  10. css margin-top设置html元素之间的距离

    css margin-top属性设置的是一个元素的顶端与另一个元素之间的距离.这个距离称为上外边距,本文章向大家介绍css margin-top属性的用法和实例,需要的朋友可以参考一下. css ma ...