What's the best way to copy data without leaving a trace?

windows-7 security file-transfer forensics
52,630

Solution 1

Which logs were you looking at specifically?

Some filesystems log the last accessed time, however this can be avoided (e.g. for Windows see http://msdn.microsoft.com/en-us/library/ms724933.aspx and the lpLastAccessTime field), and for frequently accessed data doesn't matter much anyway.

As for cookies, to upload files a cookie is not actually needed (its just the implementation of the actual service in question), and even if a cookie is needed, you can clear them from a web-browser, or not even use a web-browser on the system. Of course you cant hide the network traffic entirely, a TLS connection on port 443 that sends a large amount of data still looks like an upload rather than normal web traffic, even though the encryption prevents networking devices to know what it was (at least short of some questionable things Ive seen, like essentially setting up a man in the middle attack and making all the systems trust a wild-card cert so they don't warn the users), just what the end points of that connection were.

However in environments where people are intentionally protecting files, full access logging is of course a possibility, and by its nature can not be subverted (at least not by a non-root user that can interfere with the system configuration, or use some more indirect methods of file access).

Also On-Access virus scanners may keep a log of everything they scanned, even if its clean, and not sure if they would note if the access was to copy to a portable device.

Of course if you have physical access to the system, the problem becomes very easy. Since you can boot the system into another OS (e.g. Linux on a CD or USB), or connect the hard-disk to another system (I have never tried to bypass BIOS protection, but believe it is possible to prevent the boot to another OS without a password). However the fact you rebooted the system would be known. Another protection against this is encryption the files on the disk (or even the entire disk).

Solution 2

Windows has an auditing capability that can log each file access on specific drives or directories, possibly everything. This is not enabled by default. Some corporate environments don't enable this because it impacts performance.

USB mass storage devices are recorded somewhere when they are first connected - Belarc Advisor is a utility that can retrieve and report on this information.

The bulletproof way to do this is boot off of a live Linux CD of some sort and perform the copy without the underlying operating system involved at all. Ideally you would mount the partition read only to be very sure nothing on the volume is modified.

Share:
52,630

Related videos on Youtube

Joan Venge
Author by

Joan Venge

Professional hitman.

Updated on September 18, 2022

Comments

  • Joan Venge
    Joan Venge over 1 year

    I was wondering if uploading data from system disk onto a file sharing online service, but it seems like the system logs these and they could be traced by the cookies of that website.

    Is it the same if you were to copy from a system disk onto a portable disk? I have a hard time thinking that the system logs every file that's read from disk? I imagine it will be evident a device was plugged nothing else to show what was copied, etc.

    Is there a bulletproof way to achieve this where if anyone were to inspect the system, they wouldn't be able to verify that some files were copied?

    EDIT: Some of the methods that trace the act of copying files:

    https://www.youtube.com/watch?v=NG9Cg_vBKOg

    • Darius
      Darius over 10 years
      Access logs such as what you are thinking are often not enabled by default. If you are copying information from business that does have those enabled, then yes some access logs or copy log may be present, but only if the system is set to log them.
    • Ramhound
      Ramhound over 10 years
      If the logs are enabled what you want is difficult since your unlikely going to have the ability to delete the logs. I don't feel comfortable providing solutions.
  • Thalys
    Thalys over 10 years
    IIRC its in the registry, and/or due to the drivers installed when the device is plugged in. I could swear it also stores the device ID of the device somewhere. I'll need to check my books to be sure.
  • Joan Venge
    Joan Venge over 10 years
    Windows Event Manager, etc. I added a video where the guy explains how they catch people so all kinds of logs, cookies, etc are working in favor of them.
  • Joan Venge
    Joan Venge over 10 years
    I never used linux. Do I have to install it? Because there is only 1 disk and say I am not able to open the PC case, would it work? Also why linux? Can other small apps possibly do this?
  • LawrenceC
    LawrenceC over 10 years
    To absolutely leave no trace, the easiest and best way to guarantee you don't is to not have the operating system running at all. If you boot into another OS via a live CD or USB, you can then mount the drive, copy files, and no trace would be left. Any apps you run in the OS while it is running may have a chance of leaving some evidence, even if it's just a "Most Recently Used" entry in the registry or something. Recent Ubuntu and Debian live CDs support NTFS and that's why I mentioned it. A Windows PE boot disc would work OK as well, but it may update access times on the volume.
  • LawrenceC
    LawrenceC over 10 years
    Furthermore ... a live CD runs entirely in RAM and doesn't affect the underlying HD at all by itself. This is assuming the BIOS will let you boot another OS from an external medium.
  • Ramhound
    Ramhound over 10 years
    Its really best to actually answer the question in your answer, linking to your own blog post is fine, but the answer needs to stand by itself.
  • Elliptical view
    Elliptical view over 10 years
    @rh, I'm not sure what you are getting at. People, even well reputed people, here link to other pages often. I wrote the blog because the answer is not simple, like most blog answers that try to get at the details of a question that does not have a simple answer. If all that is here is full answers, then I think we will dumb down what transpires here. my 2c.
  • Ramhound
    Ramhound over 10 years
    Summarize the blog post. People might link to websites but the answer stands by itself in the case the website no longer works. Until I don't have to read the blog post to understand what your answer is my downvote remains.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

How do I encrypt a dual boot system?
Can see samba shares but not access them
Windows 7 refuses to accept file transfers via Bluetooth
How to remove the pen drive shortcut virus>
Why are transfer speeds so slow from USB3 SD card to PC?
How to add music on iPod Touch 4th/5th gen from iTunes on Windows 7
Ways to Transfer Large Files over Wifi Local Network Faster and Stable?
Copy and Paste without needing to use the Mouse
Windows 7 keep computer from idling
How to turn off all secure protection of Windows 7?