You might get lucky however.Īll this assumes you don't have access to the USB drive in question. So likely it depends on timing issues, which O/S is in use and how long it has been since the drive was removed. In our testing however we couldn't get this to happen. You can see the Windows Search records from the Recent Activity function in OSForensics.
Sometimes the Window Search function might index files on the USB drive (if you believe the reports on the internet). Given that most people are using WIn7 and Win10, this normally isn't an option. 
See, Īlso if it has been a while since the files were copied the last access times would have likely been updated since the copy operating took place. In order to save system resources, it is disabled by default in Vista and later. Last Access Time updating is enabled by default in XP.
Depending on the operating system & files system you might be able to look at Last Access Times of files around the time the USB drive was used to have a good guess at what files were copied. In our testing however, these don't always seem to be created. If after the copy operation, files are listed in icon view in an Explorer window, it is possible to see the directory structure of a network drive or removable device by looking at the Shellbag entries in OSF Recent activity. You can recover the Jump List records from the Recent Activity function in OSForensics. If the file was copied to a USB drive AND the file was opened from that location, there would be a Jump list entry. Using the OSForensics File Name Search function you can quickly find all the LNK files, then open them with the internal viewer to decode the content (which gives the drive letter and folder name of the file being opened). You can see the list of files from the name of the LNK file, but inside the LNK file you can find the file location. If the file was copied to a USB drive AND the file was opened from that location there would be a link (.lnk) file to that removable media. You can get a list of USB drives connected to the machine (Recent activity in OSF). The data just isn't stored.īUT, there is some information that can often be collected. So generally it is impossible to recover a list of files copied. The details recorded also depend on the operating system in use.Īs a broad general statement, Windows doesn't record details about what files were copied between drives. The details recorded about files and file transactions for each of them is different. Windows supports a number of different file systems (NTFS, FAT32 exFAT, etc.). We had this question from a OSForensics customer today, so I thought it was worth posting the response.
0 kommentar(er)
