The scenario is about Business Secret and our client do worry about data leakage. They want to know whether Suspect copy those data to external hard drive or not. In fact it is not easy for Forensic guys to answer this question. Of course if you copy data from local drive to external drive and then access those files in external drive, there will be some LNK files created.

But if you only copy files and folders from local drive to external drive in Windows, you could not find any "Copy artifacts" in log files or registry...So how do we know if Suspect copy files and folders to external drive or not? As I know that the only way to do this is to monitor and record files and folders manipulation, and you could take a look at logs to see what's going on.

You could use commercial solutions like IP-Guard, etc.

It could also record copy operation to network drive.

There is a free solution called "Windows Explorer Tracker". As you could see that an external usb hard drive plug in at 15:31:15. Its driver letter was "G:" and the volume label was "HD-PNFU3". Then an Excel file "主要服務伺服器密碼一覽表.xls" created in "D:", and we could say that this file may come from "G:", the usb external hard drive. And then some files created in "D:\#1016" in a very short time, so we could say that those files also came from "G:".  Let's see what happen to that xls file as below:

1. At 15:40:46 that xls file being renamed to "123.xls".

2. At 15:40:59 a LNK file pointed to 123.xls created in "Recent". That means Suspect double click on that xls file and took a look at its content.

3. At 15:45:58 Suspect deleted "123.xls" in "D:\".

By the way, there is a file called "top-secret" created in "G:\" at 15:45:08. That means this file may come from local drives and being copied to usb external hard drive "G:\".

Now we just need to find out where that usb external hard drive is, and search for file "top-secret" and other files as above. Then we could know if Suspect did copy folders and files from local drives to external drives.

Track files and folders manipulation in Windows的更多相关文章

  1. Mac OS finder : 显示和隐藏文件[夹] show and hide files or folders

    Finder默认是不显示隐藏文件[夹]的,要显示出怎么办? 要显示的话,可以GUI(graphic user interface)和CLI(command line interface)两种方式 CL ...

  2. [转]COPY OR MOVE FILES AND FOLDERS USING OLE AUTOMATION

    本文转自:http://sqlindia.com/copy-move-files-folders-using-ole-automation-sql-server/ I love playing aro ...

  3. [Bash] Find Files and Folders with `find` in Bash

    find is a powerful tool that can not only find files but it can run a command on each matching file ...

  4. [Bash] Move and Copy Files and Folders with Bash

    In this lesson we’ll learn how to move and rename files (mv) and copy (cp) them. Move index.html to ...

  5. [Bash] View Files and Folders in Bash

    Sometimes when working at the command line, it can be handy to view a file’s contents right in the t ...

  6. Devexpress VCL Build v2013 vol 13.2.2 发布

    devexpress 2013 的第二个大版本出来了,一如既往, 基本上还是一个大补丁包.各位看官,自己看. What's New in 13.2.2 (VCL Product Line)   New ...

  7. dell R730 安装windwos 2008 R2在windows loading files...完成后屏幕无信号(iDrac绿屏)

    dell R730 安装windwos 2008 R2在windows loading files...完成后,Starting Windows时屏幕无信号(iDrac绿屏) 解决方法: F2  进行 ...

  8. Scott Hanselman's 2014 Ultimate Developer and Power Users Tool List for Windows -摘自网络

    Everyone collects utilities, and most folks have a list of a few that they feel are indispensable.  ...

  9. VC++6.0在Win7以上系统上Open或Add to Project files崩溃问题 解决新办法

    崩溃原因是和office高版本冲突,比如我64位win7装了64位office2013及visio就遇到了这个问题(我很纳闷,记得重装系统前装的是32位office2013及visio就未曾遇到该问题 ...

随机推荐

  1. Hololens开发笔记之Gesture手势识别(基本介绍)

    手势识别是HoloLens交互的重要输入方法之一.HoloLens提供了底层API和高层API,可以满足不同的手势定制需求.底层API能够获取手的位置和速度信息,高层API则借助手势识别器来识别预设的 ...

  2. 转--Android按钮单击事件的四种常用写法总结

    这篇文章主要介绍了Android按钮单击事件的四种常用写法总结,比较了常见的四种写法的优劣,有不错的参考借鉴价值,需要的朋友可以参考下     很多学习Android程序设计的人都会发现每个人对代码的 ...

  3. Error: L6218E: Undefined symbol TIM_ARRPreloadConfig (referred from pwm_output.o).

    出错原因:模板FWLIB中没有添加stm32f10x_tim.c文件.添加即可 一般利用库开发,将ppp.c(ppp.c又调用了库stm32f10x_xx.h)写好之后的调用步骤: 1 将ppp.c和 ...

  4. Spring中依赖注入的使用和配置

    使用方法1: //在执行此实例化的时候就会完成所有注入 ClassPathXmlApplicationContext ctx = new ClassPathXmlApplicationContext( ...

  5. ruby中将数组转换成hash

    class Arraydef to_h(default=nil)Hash[ *inject([]) { |a, value| a.push value, default || yield(value) ...

  6. Ubuntu设置环境变量并立即生效

    Ubuntu Linux系统包含两类环境变量:系统环境变量和用户环境变量.系统环境变量对所有系统用户都有效,用户环境变量仅仅对当前的用户有效. 修改用户环境变量 用户环境变量通常被存储在下面的文件中: ...

  7. DedeTag Engine Create File False提示的种种原因及解决方法

    DedeTag Engine Create File False提示的种种原因及解决方法 第一种情况:站点.文件夹权限不足造成无法建立文件 这种情况的出现,一方面可能是Apache设置的读写权限较严格 ...

  8. jQuery 中屏蔽浏览器的F5刷新功能

    //支持ie(6,7,8),火狐,谷歌,opera,等主流浏览器 $(document).keydown(function(e){ e=window.event||e; if(e.keyCode==1 ...

  9. (整理)RPC

    今天研究了一下Webservice,然后就查到RPC,看到CSDN上有两篇很好的文章,就学习一下,并记录在此以便后续研究 http://blog.csdn.net/mindfloating/artic ...

  10. 菜鸟-手把手教你把Acegi应用到实际项目中(5)

    在实际企业应用中,用户密码一般都会进行加密处理,这样才能使企业应用更加安全.既然密码的加密如此之重要,那么Acegi(Spring Security)作为成熟的安全框架,当然也我们提供了相应的处理方式 ...