Day in and day out, the most likely avenue for a company’s confidential data to be stolen is still the humble USB thumb drive.
Sure, some people still email themselves files, sometimes to cleverly disguised “covert” addresses like “boatman123456789@gmail.com”. Others upload to Dropbox, Google Drive, or another cloud service (which many businesses use but fail to properly secure with permissions).
But despite all the new online options, the simple USB thumb drive (aka flash drive or jump drive) remains the most common tool. It’s discreet, dirt cheap, and so common that most people don’t give them a second look, until it’s too late.
In fact, it’s not uncommon for us to forensically analyze a computer and find records of a dozen (or more) different USB drives having been connected.
So what about those USB drives and the suspect’s computer?
When a USB drive is plugged into a computer, Windows typically logs various details:
- Drive manufacturer or vendor name
- Serial number (though not all drives have one)
- Last connected date
- Last drive letter assigned
Then there’s file activity. This might include:
- The file name
- Its path on the drive such as “E:\Documents\Work Files\Project X\bid.xlsx”
- The USB drive’s serial number
- Timestamps: created, modified, and last accessed dates
And that’s just the start. There are many deeper ways we can scour the drive for USB activity. All of this lets us build a timeline of the user’s last days and weeks on the machine.
But that leads to the obvious question:
Where are the drives?
Finding that timeline on the computer is incredibly useful. But what if there’s very little recent USB activity? Does that mean nothing was taken?
Absolutely not.
They might have copied your confidential data to a USB drive six months ago, and the drive hasn’t been plugged in since. So… where is that drive now?
- Was it left behind in the suspect’s desk?
- Turned in when they resigned?
- Sitting forgotten in a laundry pocket (and maybe washed by accident)?
Most often the answer is:
“No…we have no idea where it is.”
Which means you have no idea where your data could now reside.
One more thing about link files (shortcuts)
Much of what we learn about files on USB drives actually comes from link files left on the user’s machine.
Shortcuts often hold two key types of data:
- When they themselves were created (which can tell you when the USB file was first accessed on that computer).
- Metadata about the target file on the USB drive, such as its original creation date.
So even without the USB drive in hand, yet, we can still learn quite a bit.
And about those folder paths…
One of our favorite tells is when we find a deep path structure on the USB side, like:
E:\Documents\Work Files\Project X\Bod.xlsx
Then we look to see if there’s a matching path on the local machine, such as:
C:\Users\Bob\Documents\Work Files\Project X\Bod.xlsx
When these paths align, it strongly suggests the suspect copied not just a single file, but an entire folder tree. And that makes sense, it’s usually far easier to just drag-and-drop a whole folder than to cherry-pick individual files.
Hence, this is why we ask the simple question:
“Where are the USB drives?”
Because they’re still the number one way data walks out the door, often unnoticed. #USBDrive #DataTheft
About Swailes Computer Forensics
Swailes Computer Forensics provides expert digital forensic services to law firms, corporations, and organizations nationwide. Our work includes investigations into intellectual property theft, employee misconduct, data breaches, and more. With decades of experience and a commitment to integrity and clarity, we help clients uncover critical evidence and take informed action.
If you’re facing a potential case of employee data theft or have concerns about unauthorized activity, contact us for a confidential consultation.