Forensics: How do you detect data theft Part 1

With data theft occurring frequently, and corporate clients needing to prove that data was stolen, it is critical that any forensics investigator worth their salt (and their salary) that they are able to undertake at least a rudimentary investigation into data theft.

When approaching a data theft investigation different areas need to be looked at, including:

  • Personal Email
  • Corporate Email
  • USB activity
  • Instant messaging
  • DVD burning
  • Hard drives being added
  • FTP access

These areas will be covered during the course of this series, however the first area to be covered is USB activity.


When a USB drive is first connected to computer the drivers need to be installed for it to work correctly and the device registered with thecomputer. Fortunately there is a log of this activity, this log is stored in the SETUPAPI.LOG.

The SETUPAPI.LOG keeps a record of a variety of changes of the hardware to a computer, including the first time a USB drive was connected to a computer. It records information about the drivers used, the make and model of the USB drive and the PID from the USB chip, which is almost unique and can be used to trace a USB drive. The file itself is a plain text log file, and so can be copied out and then keyword searched. However, due to the volume of information involved this is not an effective method.

A freely available tool to resolve this issue is  SAEX, produced by a senior forensic investigator (with both law enforcement and corporate experience).  This tool is able to take a SETUPAPI.LOG file and convert it to a spreadsheet, to allow filtering. This way activity, such as USB connections, can easily be determined [the file needs to be copied out from the image first, e.g. using EnCase or FTK and then SAEX can be pointed at file].

During investigations it should be remembered that the SETUPAPI.LOG file is a system level file, and does not record what the user did what, but rather what happened to the system. Other information, such as logs, need to be used to show a particular user was logged  in at a given time.

It should be noted that this log file only records when a USB device was first connected, NOT the last time it as connected (unless they are one and the same).

This can be a very important date during a forensic investigation. If, for example, an individual has been accused of data theft and on their last day of employment a series of new USB thumb drives can be seen being connected to the computer, red flags need to be raise . Equally, if the individual accused has been connecting USB drives thought their entire employment, this may show that it is is accepted within the company that people use thumb drives. Neither scenario proves or disproves guilt, but it can help build a picture of activity.

The Registry

The registry, as all forensic investigators will know, is a fantastic source of information, though very complex. This article is not suitable for a highly detailed discussion of the registry. It is enough to know, at this point, that the  ENUM\USB entry in the SYSTEM registry hive,  stores the last time the USB drive was last connected. There  can be problems with this registry date, e.g. if the computer was not turned off for several days and the USB drive was reconnected several times, or the computer was booted with the drive in,  these factors can result in an older date being provided, than the last time the USB drive was actually plugged in.

Later a more detailed article on these registry dates, and which drive letter has been assigned to that USB drive, will be covered.


6 Responses to “Forensics: How do you detect data theft Part 1”

  1. Forensics: Examing USB Drives « Data – Where is it? Says:

    […] If the USB Serial Numbers/PID are not available it may not be possible to prove a sequence of events, this is particularly important for data theft investigations. […]

  2. Jaime Says:

    It would also be beneficial to check for connection to network shares by running the Case Processor Enscript.

  3. Security Ripcord » Blog Archive » Syscombotln and Tools Update Says:

    […] if you experience cases where it does not).  An added benefit of parsing this log file is that external USB storage device installation information will also be added to your timelines.  And if there are anti-forensic efforts recommending […]

  4. Says:

    Is there any way to prove someone printed confidential documents from their hard drive to a private printer?

    • 585 Says:

      Good Question a lot depends on the computer and the document, you can tell sometimes if a document has been printed.

      Assumings its a Windows based machine and an office document areas to check for are:

      Prined date/time within the document (Office documents store that information in their own metadata

      Look for the printers associated with that computer – i.e is PrinterA associated with ComputerA

      Look for the shadow copy that is sometimes left on the hard drive (basically an EMF file)

      Look for access to the file by that user – i.e. to print it they must have had access, that alone may not help but it may help start building a picture

  5. SonicBass Says:

    great stuff, i didn’t know about the log file, only the reg keys

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: