Can you view previously copied data?

mike6623 · Feb 3, 2015

We have an employee who we believe may have backed up sensitive information to a personal flash drive.

We run Windows 7 professions on 2012 R2 server.

Is there a way that I can check to see what was copied to an external drive? If so, how?

crawfish · Feb 3, 2015

Sector editors like WinHex and HxD will open a disk and let you search the whole thing sector by sector, without regard to file systems. If you want to wipe the drive, flash drives have their own set of considerations. See the paper Schneier linked to here:

https://www.schneier.com/blog/archives/2011/03/erasing_data_fr.html

SSDs with TRIM enabled in effect self-sanitize over time when files are deleted.

mike6623 · Feb 3, 2015

crawfish said:
Sector editors like WinHex and HxD will open a disk and let you search the whole thing sector by sector, without regard to file systems. If you want to wipe the drive, flash drives have their own set of considerations. See the paper Schneier linked to here:

https://www.schneier.com/blog/archives/2011/03/erasing_data_fr.html

SSDs with TRIM enabled in effect self-sanitize over time when files are deleted.

I appreciate that. I have no experience with this software. Do I simply install and search? Is there something specific I should look for to see what was copied in the last week from HD to external? I am just wanting to see what folders were copied, not necessarily all files.

crawfish · Feb 3, 2015

If you open a disk in file system mode in WinHex, it will show deleted files and folders with dimmed icons beside them containing a question mark. See also undelete programs, which I would assume give you a consolidated list of deleted files/folders to try to restore. You still need to search for contents, though, because it's possible that the file system structures will be overwritten while data from the files remains on the disk.

mike6623 · Feb 3, 2015

crawfish said:
If you open a disk in file system mode in WinHex, it will show deleted files and folders with dimmed icons beside them containing a question mark. See also undelete programs, which I would assume give you a consolidated list of deleted files/folders to try to restore. You still need to search for contents, though, because it's possible that the file system structures will be overwritten while data from the files remains on the disk.

Thanks, but the info wasn't deleted, it was copied. I am just attempting to find a log that says on this date this folder was copied to this drive. Is it not that in depth, or does it do that as well? Thanks again!

crawfish · Feb 3, 2015

There won't be a log for that, but you could open File Explorer to the root of the drive, enter * as the search term, and perform the search. Explorer will display a flat listing of all the folders and files which you can sort in various ways. You might also want to turn on the display of hidden files before doing this.

mike6623 · Feb 3, 2015

crawfish said:
There won't be a log for that, but you could open File Explorer to the root of the drive, enter * as the search term, and perform the search. Explorer will display a flat listing of all the folders and files which you can sort in various ways. You might also want to turn on the display of hidden files before doing this.

last question. How do I open File Explorer to the root of the drive? I know how to open it, but not to the root of the drive.

stringjunky · Feb 3, 2015

The other way you could try is to view the Last Access Date and Time for files you are concerned about. This facility could be disabled by default though.

You can open to the root just by double-clicking on the C: drive icon in File Explorer

mike6623 · Feb 3, 2015

I searched the C drive with * but am not sure how to determine what files had recently been copied to an external device.

caperjack · Feb 3, 2015

stringjunky said:
The other way you could try is to view the Last Access Date and Time for files you are concerned about. This facility could be disabled by default though.

You can open to the root just by double-clicking on the C: drive icon in File Explorer

that I think would only work if the person opened the files before they copied them to the external device .

to the best of my computer knowledge there is no way of knowing what folders or files the person may have copied to the external device

stringjunky · Feb 3, 2015

caperjack said:
stringjunky said:

The other way you could try is to view the Last Access Date and Time for files you are concerned about. This facility could be disabled by default though.

You can open to the root just by double-clicking on the C: drive icon in File Explorer

Click to expand...

that I think would only work if the person opened the files before they copied them to the external device .

to the best of my computer knowledge there is no way of knowing what folders or files the person may have copied to the external device

The only way I can think of - it's too late here though - is to install a keylogger to capture future attempts.

broe23 · Feb 3, 2015

The Linux Sleuth Kit may tell you.

broe23 · Feb 3, 2015

mike6623 said:
Thanks, but the info wasn't deleted, it was copied. I am just attempting to find a log that says on this date this folder was copied to this drive. Is it not that in depth, or does it do that as well? Thanks again!

If this is a Domain, the AD logs would tell you if a share was accessed, by what username & the time it was accessed.

Can you view previously copied data?

New Member

My Computer

Member

My Computer

New Member

My Computer

Member

My Computer

New Member

My Computer

Member

My Computer

New Member

My Computer

New Member

My Computer

New Member

My Computer

Just the Janitor

My Computer

New Member

My Computer

Retired from the grind

My Computer

Retired from the grind

My Computer