Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie

Quick Question

Options
  • 18-12-2016 3:05pm
    #1
    Tefral
    Registered Users Posts: 4,335 ✭✭✭


    I am looking to see if there was a way to track if information was taken from a laptop and transferred to a memory stick?

    The laptop has a standard Windows 10 install with no tracking software or anything of the sort installed on it.


Comments

  • Options
    #2
    moneymad
    Registered Users Posts: 882 ✭✭✭moneymad


    Funny i was reading about plug and play this morning and came across this as i'm studying for oscp

    Plug and Play Manager :)
    open the setupapi.log in C:\Windows\INF

    I plugged in a usb device this morning and it showed up in the log file.


    [PHP]>>> [Device Install (Hardware initiated) - SWD\WPDBUSENUM\_??_USBSTOR#Disk&Ven_Kingston&Prod_DataTraveler_2.0&Rev_PMAP#}]
    >>> Section start 2016/12/19 08:00:25.593
    dvi: {Build Driver List} 08:00:25.614
    dvi: Searching for compatible ID(s):
    dvi: wpdbusenum\fs
    dvi: swd\generic
    dvi: Created Driver Node:[/PHP]

    I'm not clued in enough to be able to tell you whether you can see if certain data was copied,however you can check if a 'certain' device was.


  • Options
    #3
    BoB_BoT
    Registered Users Posts: 1,835 ✭✭✭BoB_BoT


    If you had logging/auditing enabled or a tool that would do this, yes. However if you're trying to find out something from the past before you've enabled logging/auditing, no, you won't be able to tell if someone copied data to a USB drive.


  • Options
    #4
    [Deleted User]
    Posts: 0 [Deleted User]


    NTUSER.DAT registry key logs every time a USB key is connected to a system. However it only logs the date/time it was connected not if data was transferred.

    What type of data? Your best bet might be to grab the MFT (Master File Table) and check the MACE timestamps. If you know for example the files haven't been accessed by anybody for the last couple of weeks or so and you suspect somebody accessed your system last Friday for example then the 'Accessed' timestamp might help you.

    You might have some luck with shimcache, if a USB key was recently connected then there might be entries in the shimcache for these files. You'll know by the directory (D:\) for example as your root directory should be (C:\).


  • Options
    #5
    timmywex
    Registered Users Posts: 2,626 ✭✭✭timmywex


    You can easily find what USB was inserted, its serial number etc. Saying what data was transferred is much harder. The easiest way in general is through a forensic image and look at the MAC times for files. Files with MAC times around when the USB were last inserted or first inserted are potentials, but no guarantee


Advertisement