What level of event logging was enabled on the system? Maybe you can
get some info from the event log.
On May 8, 2006, at 8:56 AM, Greg Kelley wrote:
I don't think you will find any log file. The only time you would
find
a log file for something like this is if the person moved the file
with
a backup application or if it was a CD and they made a burn of files.
Try to look for LNK files, IE history (file:/// links) and MRUs in the
registry to see signs of the user reading the files off of the USB
drive
after the user copied them to the drive.
Greg Kelley, EnCE
Vestige Digital Investigations
Computer Forensics | Electronic Discovery | Corporate Surety
46 Public Square, Ste 220
Medina, OH 44256
(330)721-1205 x5432
(330)721-1206 Fax
http://www.vestigeltd.com
-----Original Message-----
From: Serge Jorgensen [mailto:[EMAIL PROTECTED]
Sent: Thu 5/4/2006 12:16 PM
To: [email protected]
Cc:
Subject: Tracking moved files?
Hello!
I'm try to show that files were copied and/or moved off a W2K drive
onto a USB stick. Obviously the registry and setupapi files show the
USB installation info - but I can't find the log file (or other
method?) that Windows must use to track files being moved and copied.
I don't have the USB device - which would make this a whole lot
easier.
Any ideas would be great.
Thanks.
George
