Putting these sources together, we can determine when TeraCopy was used to copy (or move) files, where they came from, where they went, what they were called, and even their MD5 hashes. The databases are all found in the user’s profile folder. As this is a well-defined format, an examiner can readily read it with various SQLite browsing tools. TeraCopy stores its job history in multiple SQLite databases. TeraCopy only keeps, by default, one week of history. Casual live analysis, such as opening TeraCopy on the system, or copying files with it, is therefore risky. We used this to compile an extensive list of documents that were copied to a USB device shortly before the employee quit.Īs TeraCopy keeps historical data for only a short time, it is not difficult to accidentally trigger an automatic purge. For example, it tracks a short-term history of copied files. As with any software, the more it helps, the more it stores. TeraCopy is a common file copying/moving application with a variety of added features. In a recent client investigation, we discovered that a former employee had installed TeraCopy on their company-issued laptop. Unfortunately, it’s not so simple as consulting a Windows “file copy log.” While newer versions of Windows offer some auditing of files and removable storage, these features are not enabled by default. In a data-exfiltration investigation, such as may be necessary after an employee leaves in bad faith, files copied to a USB drive are particularly interesting.
0 kommentar(er)
