L. Barrera In some cases once someone copies a file to external media they will then open it from the external media to verify a successful copy. This results in the creation of a lnk file, and can provide you with valuable evidence. Filesystem timestamps can also be used in many cases. There is an episode covering this within the Windows Forensics series.
@@13Cubed Thanks for you prompt reply. I have seen FS TimeStamps, but I did not see anything there that allow me to get conclusive evidence on copying files to a USB device. Probably I missed something, I hope you might give some hints on where to look at. Again, thanks for your enlighten videos. I can't wait for the next one.
@@lautarob The M (Modified) timestamp is inherited upon a copy, and the B (Creation) is set to the time of the copy. This results in a file that was seemingly modified before it existed, and is a tale-tale sign of a copy. This SANS poster is a great resource: www.sans.org/security-resources/posters/windows-forensic-analysis/170/download. As for the LNK files, if you had a document named Secret.docx that was opened from the C: drive, a LNK file would be created. If, for example, the document were then copied to the E: drive and subsequently re-opened to prove it was successfully transferred (something commonly seen), the existing LNK file would be updated, showing the "Local Base Path" and "Working Directory" of the (E:) flash drive. You can see this with a simple utility like exiftool, or use LECmd from Eric Zimmerman.
@@13Cubed Thanks for your comprehensive and valuable reply. Now, let's assume that someone seat in his corporate computer, connect a USB device and copy a bunch of files. Assuming he/she did not open any from the USB device after copying them, is there a windows artifact (or a combination of some of them) that allow to conclude that such copying process occurred?
L. Barrera Timestamps would still be valuable if you had the drive to which you suspected files were copied. Otherwise nothing I can think of offhand...
Thanks again for another excellent video. Can this tool be used to parse an EVTX files obtained via FTK imager? If so what would the command line syntax be as -d obviously doesn't work. Thanks again...
Sure, just place the collected event log files in a single directory and then you can use the -d flag, or use -f and point to the path of any single file.
Thanks for making the video. You’re always so clear an concise! Adding to my toolkit
Thank you!! subscribed and in love with these videos and forensics investigations.
I love your videos, ive found them very useful at work being out of college only a year 🙏
Excellent channel. Thank you!
Can this tool be used to analyze logs exported from an imaged device or only logs on the host computer?
Found the answer below, disregard. Great channel, subscribing.
Thanks for this video!. As always, clear and concise.
Glad you make such helpful concise videos
Thank you very much!
Question: to your knowledge, is there a way to obtain a direct evidence of a file being copied to a USB device?
L. Barrera In some cases once someone copies a file to external media they will then open it from the external media to verify a successful copy. This results in the creation of a lnk file, and can provide you with valuable evidence. Filesystem timestamps can also be used in many cases. There is an episode covering this within the Windows Forensics series.
@@13Cubed Thanks for you prompt reply. I have seen FS TimeStamps, but I did not see anything there that allow me to get conclusive evidence on copying files to a USB device. Probably I missed something, I hope you might give some hints on where to look at. Again, thanks for your enlighten videos. I can't wait for the next one.
@@lautarob The M (Modified) timestamp is inherited upon a copy, and the B (Creation) is set to the time of the copy. This results in a file that was seemingly modified before it existed, and is a tale-tale sign of a copy. This SANS poster is a great resource: www.sans.org/security-resources/posters/windows-forensic-analysis/170/download. As for the LNK files, if you had a document named Secret.docx that was opened from the C: drive, a LNK file would be created. If, for example, the document were then copied to the E: drive and subsequently re-opened to prove it was successfully transferred (something commonly seen), the existing LNK file would be updated, showing the "Local Base Path" and "Working Directory" of the (E:) flash drive. You can see this with a simple utility like exiftool, or use LECmd from Eric Zimmerman.
@@13Cubed Thanks for your comprehensive and valuable reply. Now, let's assume that someone seat in his corporate computer, connect a USB device and copy a bunch of files. Assuming he/she did not open any from the USB device after copying them, is there a windows artifact (or a combination of some of them) that allow to conclude that such copying process occurred?
L. Barrera Timestamps would still be valuable if you had the drive to which you suspected files were copied. Otherwise nothing I can think of offhand...
Awesome Awesome Awesome
amazing content (just bought you course)
Awesome, I hope you enjoy it!
Thanks again for another excellent video. Can this tool be used to parse an EVTX files obtained via FTK imager? If so what would the command line syntax be as -d obviously doesn't work. Thanks again...
Sure, just place the collected event log files in a single directory and then you can use the -d flag, or use -f and point to the path of any single file.
Thanks for the video...
Thank you!
thanks again!