Where are the USB drives? Don’t let them leave without asking! #USBDrive #DataTheft

USB-Drive-data-theftDay in and day out the most likely avenue for a company’s confidential data to be stolen is still the USB thumb drive.  Yes, some people still email themselves (sometimes to a “covert” email address like boatman123456789@gmail.com) or throw files to Dropbox, Google Drive or some other cloud storage device/service (which many businesses use, but fail to properly lock down with permissions). All of that being said, the most often used means is still the simple USB thumb drive aka USB flash drive or jump drive.  It’s discreet, it’s cheap and most observers don’t bat an eye at its use until it’s too late.  They are ubiquitous.  It’s not uncommon to forensically analyze a computer and find a dozen plus USB drives that have been connected.

So what about those USB drives and the suspect’s computer?  What can we find?  As just noted, when a USB drive is connected to the computer an entry is made that makes note of various information associated with that drive.  I say various information because not every USB thumb drive conforms to standards.  Ideally details such as drive manufacturer (or vendor), a serial number (if it has one), a last connected date and ideally the last drive letter that was mapped to it.  The next line of information left behind involves file activity. Details regarding that file activity might include the file name, its path (drive letter and subdirectory or folder), the serial number and the details associated with this file as it pertains to the USB drive. More specifically, the created date and time, the modified date time and the accessed date and time.  And to be clear, this is cursory information. There are several other ways to scour the computer’s hard drive data to extract more indicators of USB drives and their activity, so please feel free to inquire based on your scenario.  Utilizing all of this information we are then able to skillfully piece together a timeline of the last days and weeks of a user’s activity in the computer system.

Which leads us to a simple and obvious question – Where are the USB drives?  Depending on the matter, the last days and weeks on the computer alone may be all that’s necessary, but many times it’s not.  What if there is little activity shown in the cursory history that we can develop?  Does that mean that they didn’t take data?  Absolutely not, that’s why I ask – where are the drives?  They might have copied the data to a drive six months ago and it’s not been seen since.  Again, where are the drives? Were they left behind in the suspect’s desk drawer?  Did they turn them in when they resigned?  Were they left in a pocket and washed in their most recent load of laundry? Most often the answer to all these questions is, “no…we have no idea where they are.” Essentially meaning we have no idea where these older USB drives that potentially contain our confidential data currently reside!

Additionally I’d like to mention that much of the data we learn about files that reside on a USB drive we learn from link files or shortcuts that point to the location the file is actually stored.  One of the neat things about shortcuts is that typically they contain particulars of their own creation (which might tell you when the file was initially accessed on a drive) but ideally they also contain data about the file they link to.  Meaning you could discover key details (such as a creation date) about the original file on the USB drive alone without having the actual hard drive…yet.

In closing, there’s one more interesting bit of knowledge I’d like to share about USB drives and their use.  When we’re able to extract path detail about the USB drive (E:\Documents for example), we really like to see when a file has a deeper path like E:\Documents\Work Files\Project X\Bid.xlsx.  When we see that, we immediately check to see if it mirrors a similar path native on the hard drive itself, like C:\Users\Bob\Documents\Work Files\Project X\Bid.xlsx.  If it does, then we can demonstrate that there’s a case to be made that the suspect copied the entire folder upstream from the file’s location. This is typical when someone copies their work data.  It makes sense! More often than not it’s just easier to copy the entire folder than it is to hunt and peck for specific files to take.

I’ll stop here and in my next post I will share with you the worthwhile “Making a Thief” story. It will be a great opportunity to go into some frequently asked questions and provide you with answers. Many of these questions have come directly from attorneys, management and executives we have helped.  #USBDrive #DataTheft

Share this: