digitalguru wrote:
Case was related to DLP.. Employee during exit copied office data on to personal hard disk and deleted the data from personal hard disk. Senior Management want to check if any further files are copied from this personal HDD to any other device.
Lots of additional information is needed (ie, OS being examined), but from a Windows perspective, the OS does not keep records of files copied. There are ways to see what files may have been copied, but that depends on a great deal of additional activity; for example, if the user opens one of the files that was copied to the external device, there may be several artifacts of that activity (LNK file, Registry, Jump Lists) depending upon the version of Windows being examined. However, the difficultly is that in and of themselves, these artifacts do not specifically identify files that were copied...they simply identify files accessed from an external device.
If the system being analyzed is XP, you *might* find something of value in the shellbags. Maybe.
Again, when asking these sorts of questions, there is information that needs to be provided; otherwise, there possibilities are limitless, and no one wants to sit and write a book.
↧