RE: Determining if someone copied file to a: drive

From: crazytrain.com (subscribeat_private)
Date: Wed May 30 2001 - 10:47:12 PDT

Next message: jonathan bloomquist: "RE: Determining if someone copied file to a: drive"

Previous message: Frank Heyne: "RE: Registry Key LastWrite times"
Maybe in reply to: phil_curranat_private: "Determining if someone copied file to a: drive"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Just a quick note here on this thread:

1) A user can set his RECENT folder to any path and folder he/she likes (so 
the default path of C:\Winnt\Profiles\USERX\Recent   may not be accurate 
all the time).  This is done within the registry.
2) A user can set the system such that NO files are 'remembered'.  I.E., 
they would not appear in the DOCUMENTS listing from the task bar (no matter 
if path was changed or not).  Again, this is done within the registry and 
works on NT and 2000 (I have not tried on 9x).

So, if these areas are barren, perhaps look around to see if either the 
default path was changed and/or the remembered files was set to 0 or not.

thomas



> Look in the Recent Files information...    which is displayed on the
> Start -> Documents listing from the Task Bar.
> 
> The Recent Documents are also in the folder (which is really what is
> displayed on the task bar) -
> C:\Winnt\Profiles\<the profile of interest>\Recent
> 
> Hope this helps.  NT does leave a trace of the last few files touched.
> 
> ---------------------------------------------------------
> Michael S Hines                | Phone 765-494-5875
> Purdue University              | FAX   765-496-1380
> Management Information         | Email mshinesat_private
> OS/390 Systems Programmer      | Certifications:
> 1061 Freehafer Hall            |    CIA, CISA, CFE, CDP
> West Lafayette, IN 47907-1061  |
> 
> 
> 
> -----Original Message-----
> From: phil_curranat_private [mailto:phil_curranat_private]
> Sent: Tuesday, May 29, 2001 6:38 AM
> To: forensicsat_private
> Subject: Determining if someone copied file to a: drive
> 
> 
> I have been tasked to determine if some has copied a file to the a: drive.
> My system information is as follows:  NT Workstation, SP6a, auditing is 
NOT
> on.
> 
> Without auditing turned on, is there a method I can use to determine if a
> user copied files to the floppy drive (a:)?  I am not aware of any way to
> do this.  Any help is greatly appreciated.
> 
> v/r
> 
> Phil Curran
> 
> 
> 
> **********************************************************************
> This e-mail and any files transmitted with it may contain
> confidential information and is intended solely for use by
> the individual to whom it is addressed.  If you received
> this e-mail in error, please notify the sender, do not
> disclose its contents to others and delete it from your
> system.
> 
> **********************************************************************
> 
>

Next message: jonathan bloomquist: "RE: Determining if someone copied file to a: drive"
Previous message: Frank Heyne: "RE: Registry Key LastWrite times"
Maybe in reply to: phil_curranat_private: "Determining if someone copied file to a: drive"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed May 30 2001 - 20:38:43 PDT