LNK file analysis will do the trick, but you need to use a forensic method to extract and analyze them. There are embedded dates within these LNK files that you can use, also looking through the registry under the USBSTOR for thumb drives, matching to drive letters might provide some clues.
Jim Jim Butterworth, EnCE, GCIA Manager, Professional Services, Southwest *** Sent while Mobile *** -----Original Message----- From: Bart Somers <[EMAIL PROTECTED]> To: Serge Jorgensen <[EMAIL PROTECTED]> CC: [email protected] <[email protected]> Sent: Tue May 09 02:52:00 2006 Subject: Re: Tracking moved files? Besides the installation info, all files copied or moved to the removable storage should have been accessed (to read) or modified (remove). So i think analyzing the access-times from your source-filesystem should show you accessed and removed files. This is off course not water-tight, as i can plugin an USB-device, work on a lot of files (without doing something with the USB-device) and remoce the device, but at least it's a start. Best regards, Bart Somers. On 5/4/06, Serge Jorgensen <[EMAIL PROTECTED]> wrote: > Hello! > > I'm try to show that files were copied and/or moved off a W2K drive > onto a USB stick. Obviously the registry and setupapi files show the > USB installation info - but I can't find the log file (or other > method?) that Windows must use to track files being moved and copied. > > I don't have the USB device - which would make this a whole lot easier. > > Any ideas would be great. > > Thanks. > > George >
