RE: Determining if someone copied file to a: drive

From: D. Douglas Rehman (rehmanat_private)
Date: Tue May 29 2001 - 17:34:49 PDT

  • Next message: mshines: "RE: Determining if someone copied file to a: drive"

    I had a similar request before to determine if certain intellectual property
    files had been copied onto a Zip disk. The Zip disk was the d: on the
    subject system. To make a long story (or long examination...) short, I
    searched for "d:\" across the entire drive. I found numerous hits in the
    User.dat file; some of these included the IP files I was seeking. (It was a
    Win98 system.)
    
    The process of figuring out what made the text entries was less successful.
    The first thing I did was booted a clone copy of the hard drive and ran
    regedit. I searched for the strings that I had previously found, but
    received no hits. I even exported the registry to a file and searched it,
    but again came up empty. I used a hex editor to view the User.dat file and
    found the strings. The only conclusion I could come to was that there must
    be registry "slack". The strings must have been part of the registry at one
    time, but were no longer an active part. They might have been pointers to
    most recently accessed files.
    
    Best Regards,
    
    Doug Rehman
    Rehman Technology Services, Inc.
    Specializing in Computer Forensics and Technology Related Investigations
    License A-9800119
    Mount Dora, Florida (Orlando Area)
    (352)357-0500
    http://www.surveil.com
    



    This archive was generated by hypermail 2b30 : Tue May 29 2001 - 21:11:52 PDT