The scenario is about Business Secret and our client do worry about data leakage. They want to know whether Suspect copy those data to external hard drive or not. In fact it is not easy for Forensic guys to answer this question. Of course if you copy data from local drive to external drive and then access those files in external drive, there will be some LNK files created.

But if you only copy files and folders from local drive to external drive in Windows, you could not find any "Copy artifacts" in log files or registry...So how do we know if Suspect copy files and folders to external drive or not? As I know that the only way to do this is to monitor and record files and folders manipulation, and you could take a look at logs to see what's going on.

You could use commercial solutions like IP-Guard, etc.

It could also record copy operation to network drive.

There is a free solution called "Windows Explorer Tracker". As you could see that an external usb hard drive plug in at 15:31:15. Its driver letter was "G:" and the volume label was "HD-PNFU3". Then an Excel file "主要服務伺服器密碼一覽表.xls" created in "D:", and we could say that this file may come from "G:", the usb external hard drive. And then some files created in "D:\#1016" in a very short time, so we could say that those files also came from "G:".  Let's see what happen to that xls file as below:

1. At 15:40:46 that xls file being renamed to "123.xls".

2. At 15:40:59 a LNK file pointed to 123.xls created in "Recent". That means Suspect double click on that xls file and took a look at its content.

3. At 15:45:58 Suspect deleted "123.xls" in "D:\".

By the way, there is a file called "top-secret" created in "G:\" at 15:45:08. That means this file may come from local drives and being copied to usb external hard drive "G:\".

Now we just need to find out where that usb external hard drive is, and search for file "top-secret" and other files as above. Then we could know if Suspect did copy folders and files from local drives to external drives.

Track files and folders manipulation in Windows的更多相关文章

  1. Mac OS finder : 显示和隐藏文件[夹] show and hide files or folders

    Finder默认是不显示隐藏文件[夹]的,要显示出怎么办? 要显示的话,可以GUI(graphic user interface)和CLI(command line interface)两种方式 CL ...

  2. [转]COPY OR MOVE FILES AND FOLDERS USING OLE AUTOMATION

    本文转自:http://sqlindia.com/copy-move-files-folders-using-ole-automation-sql-server/ I love playing aro ...

  3. [Bash] Find Files and Folders with `find` in Bash

    find is a powerful tool that can not only find files but it can run a command on each matching file ...

  4. [Bash] Move and Copy Files and Folders with Bash

    In this lesson we’ll learn how to move and rename files (mv) and copy (cp) them. Move index.html to ...

  5. [Bash] View Files and Folders in Bash

    Sometimes when working at the command line, it can be handy to view a file’s contents right in the t ...

  6. Devexpress VCL Build v2013 vol 13.2.2 发布

    devexpress 2013 的第二个大版本出来了,一如既往, 基本上还是一个大补丁包.各位看官,自己看. What's New in 13.2.2 (VCL Product Line)   New ...

  7. dell R730 安装windwos 2008 R2在windows loading files...完成后屏幕无信号(iDrac绿屏)

    dell R730 安装windwos 2008 R2在windows loading files...完成后,Starting Windows时屏幕无信号(iDrac绿屏) 解决方法: F2  进行 ...

  8. Scott Hanselman's 2014 Ultimate Developer and Power Users Tool List for Windows -摘自网络

    Everyone collects utilities, and most folks have a list of a few that they feel are indispensable.  ...

  9. VC++6.0在Win7以上系统上Open或Add to Project files崩溃问题 解决新办法

    崩溃原因是和office高版本冲突,比如我64位win7装了64位office2013及visio就遇到了这个问题(我很纳闷,记得重装系统前装的是32位office2013及visio就未曾遇到该问题 ...

随机推荐

  1. pycharm 格式化代码

    有时候将空格键和tab键混用,在windows上没什么事情,但是如果移动到linux就会有问题,所以我们在移动到linux上之前要先格式化一下代码: ctrl+alt+L可以格式化,但是和锁屏快捷键冲 ...

  2. [物理学与PDEs]第2章习题参考解答

    [物理学与PDEs]第2章习题1 无旋时的 Euler 方程 [物理学与PDEs]第2章习题2 质量力有势时的能量方程 [物理学与PDEs]第2章习题3 Laplace 方程的 Neumann 问题 ...

  3. 程序员的sql金典

    1.数据库基础概念 2.数据类型 3.通过SQL语句管理数据表 4.数据的增删改 5.Select的基本用法 6.高级数据过滤 7.数据分组 8.限制结果集行数和抑制重复数据 9.计算字段 10.不从 ...

  4. 关于centos7下扩充和减小xfs逻辑分区大小的问题

    比如,我想把/dev/centos/home下的50G变为8G 1.增加 1.1 去掉挂载 umount /home 1.2 减小home, lvreduce -L 8G /dev/centos/ho ...

  5. IP地址查询接口

    新浪的IP地址查询接口:http://int.dpool.sina.com.cn/iplookup/iplookup.php?format=js 新浪多地域测试方法:http://int.dpool. ...

  6. 转_ _android开发中如何结束所有的activity

    每一个activity都有自己的生命周期,被打开了最终就要被关闭. 四种结束当前的activity方法 Java代码:   //关闭当前activity方法一 finish(); //关闭当前界面方法 ...

  7. M2M协议

    1, M2M协议 M2M是Machine-to-Machine/Man的简称,是一种以机器终端智能交互为核心的.网络化的应用与服务.M2M协议规定了人机和机器之间交互需要遵从的通信协议.随着科学技术的 ...

  8. eclipse 自动补全

    在使用过程中问题又来了, 当按下空格键时会把第一行的内容自动上屏,其实很多时候就是想输一个空格而已. 解决办法: 取消之前的修改: "Auto Activation triggers for ...

  9. WayPoint寻路

    寻路在游戏开发中的重要性,不用多说了.从大型ARPG游戏到小规模体验游戏,都会不同程度的用到寻路功能. 塔防类游戏,战棋类游戏经常用到waypoint(路径)寻路. 下面我们来介绍一下waypoint ...

  10. Loadrunner 添加windows资源没反应

    使用 LoadRunner Controller 添加Windows资源系统没有反应, 解决办法 : 1.关闭Windows 防火墙 2.若使用的不是本机 1) 首先要启动所监测机器的remote r ...