Create an account Home  ·  Topics  ·  Downloads  ·  Your Account  ·  Submit News  ·  Top 10  
Modules
· Home
· Content
· FAQ
· Forensic Downloads
· Forensics Feedback
· Forums
· Members List
· Statistics
· Surveys
· Top 10
· Topics
· Training Reviews
· Web Links
· Your Account

Our Membership

Latest: alhakeem
New Today: 1
New Yesterday: 3
Overall: 29287

Computer Forensics
This is a free and open peer to peer medium for digital and computer forensics professionals and students. Please help us maintain it by contributing and perhaps linking to us from your own website.

Recent Posts

 Hash calculation between image and original file
 Final Year Project
 Android devices with PIN screen lock and without USBdebb. on
 Can file creation and modifications on pendrives be found?
 Viewing real MAC times of a timestomped file

Computer Forensics World Forums


Pages Served
We received
49954963
page views since August 2004

Security Sources

FTC
OnGuard Online
ISO 17799 ISO 27001
ISO 27000 Toolkit
ISO 27001 & 27000
Cryptography
Security Policies

Computer Forensics World: Forums

Computer Forensics World :: View topic - Stolen USB Key Returned - Analysis
 Forum FAQForum FAQ   SearchSearch   UsergroupsUsergroups   ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 

Stolen USB Key Returned - Analysis

 
Post new topic   Reply to topic    Computer Forensics World Forum Index -> Technical Issues: Peripherals
View previous topic :: View next topic  
Author Message
navycross
Newbie
Newbie


Joined: Mar 31, 2011
Posts: 1

PostPosted: Fri Apr 01, 2011 6:37 am    Post subject: Stolen USB Key Returned - Analysis Reply with quote

Looked on the forums and tried to find something similar, what I am looking for is some kind of utility or way to tell what systems the key was connected to and what files were copied when the thumb drive was out of my possession.

I know that there were no files deleted, I have no idea how to tell what files have been copied...is there a utility, log file, some way of telling and if so, will it give me the ID's of what systems it was plugged into?

I'm a complete noob, but computer literate enough to run terminal on my Mac etc so anything that can be done to help here would save my &^%! Confused

Cheers
Back to top
View user's profile
athulin
Newbie
Newbie


Joined: Oct 19, 2007
Posts: 237

PostPosted: Fri Apr 01, 2011 7:25 am    Post subject: Re: Stolen USB Key Returned - Analysis Reply with quote

navycross wrote:
Looked on the forums and tried to find something similar, what I am looking for is some kind of utility or way to tell what systems the key was connected to and what files were copied when the thumb drive was out of my possession.


Not for sure. You may be lucky, and find that last accessed time stanp (regardless of if there's a FAT or NTFS file system) has changed. On the other hand, on Vista and up - and also on linux if you mount the device appropriately - last access timestamps won't be updated.

That is, you may be able to say 'yes, someone has accessed file X and Y and Z during the relevant time'. But you are unlikely to be able to say, 'no, noone has accessed any files'.

But for that, you must protect the contents of the device. You can't even look at the device yourself unless you have connected it through a writeblocker -- or you may overwrite the last accessed timestamps yourself.

Remember, last accessed means last accessed, not 'only accessed'.
Back to top
View user's profile
montgomeryj
Newbie
Newbie


Joined: Mar 05, 2013
Posts: 1

PostPosted: Wed Mar 06, 2013 3:57 pm    Post subject: Reply with quote

If you want to do a little bit of digging you could learn how to use the digital forensics tool called Autopsy (which uses Sluethkit on its backend) to analyze the usb drive. Once it is mounted in AUtopsy you can view a timeline of when files were access and a little bit of information about what was modified on the files. You can find more information about autopsy at http :// www . sleuthkit . org/autopsy/. That might be a good place to start. If you have more questions post them here.

Moderator Note: Direct links are not allowed.
Back to top
View user's profile
Display posts from previous:   
Post new topic   Reply to topic    Computer Forensics World Forum Index -> Technical Issues: Peripherals All times are GMT + 10 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

Powered by phpBB 2.0.10 © 2001 phpBB Group
phpBB port v2.1 based on Tom Nitzschner's phpbb2.0.6 upgraded to phpBB 2.0.4 standalone was developed and tested by:
ArtificialIntel, ChatServ, mikem,
sixonetonoffun and Paul Laudanski (aka Zhen-Xjell).

Version 2.1 by Nuke Cops 2003 http://www.nukecops.com

Forums ©

 

TMs property of their respective owner. Comments property of posters. 2007 Computer Forensics Science World.
Digital forensic computing news syndication: Computer Forensics Training News or UM Text
Software is copyrighted phpnuke.org (c)2003, and is free under licence agreement. All Rights Are Reserved.