Knowledge and Insights

Tracking Data Theft By Thumb Drive

thumb drive on computer keyboard

The theft of electronic information is rampant in today’s business world. It can be done by a disgruntled employee, a hacker looking to steal identities, or business partners looking to leave and start anew. USB devices are a convenient way to transfer files among colleagues, but they also serve as the primary means of data theft. The good news is that these tiny devices leave behind a plethora of digital fingerprints that can lead a forensic investigator to the culprit and his/her stash of stolen data.

The first time a USB device is inserted into a computer, the computer records the date and time of its insertion, together with its internal serial number and, in most instances, its make and model. From a user’s perspective, after inserting a USB device and successfully installing the drivers, a box will appear at the bottom of the screen announcing “your device is ready for use.” That’s the computer’s Registry Hive in action. The next time the device is inserted, another section of the Registry records that activity and continually updates the insertion time for each insertion thereafter.

Using the USB insertion date and time stamps obtained from the computer’s Registry, the forensic examiner can then compare those dates to the Modified, Accessed, and Created (MAC) dates and times of the files on the computer’s hard drive. By comparing the dates and times of the files on the computer with the insertion dates of the USB device, depending on the operating system, it can often be determined what files were copied.

Another approach to see if files were copied to a USB device is to search for a link file (also called a shortcut file). Link files are often created without the user’s knowledge. They tell the computer where to look for a particular file when it is called for by the user. A desktop shortcut is a link file – the file is not actually there, rather, the shortcut links the icon to the file on the drive. Link files are often created when a user inserts a USB device into a computer and clicks on a file. The computer links the file on the USB to the computer and the link file is stored in the Registry. In order to determine if a particular link file is associated with a particular USB device, the forensic examiner simply has to review the Registry to obtain the drive letter assigned to the USB device upon insertion. If there is a match, i.e., the link file and the USB device are both associated with the E:// Drive and the creation date of the link file matches the insertion date of the USB device, it is likely that the file in question was stored on the USB device.

One final location for evidence of file copying can be found in the computer’s Recycle Bin. Depending on the operating system of the computer, a database will exist in the Recycle Bin containing information about the files found therein. This information can include the deleted file’s original file name and path, and the date and time when the file was deleted. Matching that information to the date/time stamps of inserted USB devices also can reveal whether a user copied files to a USB device and then deleted them from the computer.

Most users are not aware of the foregoing forensic artifacts left behind on a computer when such activities occur. Through the use of proper data preservation protocols and cutting-edge forensic software, a forensic investigator can help victims of data theft pinpoint the stolen information, the means used to pilfer it, and, at times, who took it.

To learn more about how you might benefit from these services, please do not hesitate to contact us at (609) 689-9700.