Velocity Reviews - Evidence of file copy to external device on Windows 2000 / FAT 32

Velocity Reviews (http://www.velocityreviews.com/forums/index.php)

- Computer Security (http://www.velocityreviews.com/forums/f38-computer-security.html)

- - Evidence of file copy to external device on Windows 2000 / FAT 32 (http://www.velocityreviews.com/forums/t307727-evidence-of-file-copy-to-external-device-on-windows-2000-fat-32-a.html)

Evidence of file copy to external device on Windows 2000 / FAT 32

Does a Windows 2000 user leave any traces when he copies a file to an
external device (usb stick, usb harddisk, cd burner etc)? The source
file system is FAT 32, so auditing file access by turning on
appropriate event logging is not possible (see
http://www.cert.org/security-improve.../i028.03.html).
The suspect target devices are not available.

I found device interface arrival/removal notifications (event ids 134
and 135) for usb sticks in the event log, entries in index.dat files,
that certain files were opened from an usb-stick, corresponding entries
in the recent-lists but none of these records proof that files have
been copied to an external device.

Any hints where to search further?

Thank you for your answers
Stefan Schiffer

Re: Evidence of file copy to external device on Windows 2000 / FAT 32

On 19 Apr 2006 01:05:42 -0700, "Stefan Schiffer" <stefan@schiffer.at>
wrote:

>Does a Windows 2000 user leave any traces when he copies a file to an
>external device (usb stick, usb harddisk, cd burner etc)?
########################################
I just installed a 40GB USB drive on win 2000 and I copied some files
to the drive. I can't find anything that shows that those files were
copied. I'm surprised that you found as much as you did.