windows

If you are still looking into this, or want to go back to it, then you might be interested in listening to the CyberSpeak Podcast to hear about one forensic investigator's/firm's research. I suggest you listen to the whole episode, but if you want to spot-check its relevance then I think that around 22:00/23:00 they say a few points that are relevant to your endeavor.

The tool, called Registry Recon, is a commercial tool and I can not vouch for it since I have not yet used it myself. Pursue that at your own risk; however, I will point out the bullet-point claim in the release notes.

"[..] Reports USB Storage Devices (see when they were attached over time!) and RecentDocs"

I have left the original post exactly as it was, but would like to say that I never meant to bash any commercial product nor do I intend to promote myself or any third party products I happen to mention.

I do not apologize for my sense of humor, but I do regret the possibility that I offended anyone. Not that is important what you think of me; rather it is important for me to respect the culture and demeanor of this forum. I do respect the community here and for that reason I apologize.

I looked at a commercial offering called "Spector 360" that was talking about this exact scenario. As you might imagine, it required agents to be installed onto each monitored computer. Honestly, I was not happy with the system impact that the agents had on system performance. Enabling auditing/logging also has an impact on system performance. This is to be expected from pretty much any solution that is available to address the scenario you are describing.

Before I came across Spector 360, I knew of a Remote Administration Tool (RAT) that was being used to a small extent by criminals. The company that creates it is legit and was not necessarily responsible for the criminals actions; my point is that there are a lot of RAT/Spyware/Monitoring applications that will provide the functionality needed to accomplish what you desire. You should expect friction from AV installed on those systems though, no matter how legit the company that authored the application. They are all capable of being used malevolently.

As for forensically looking for evidence... maybe, but that is a long shot. I really wouldn't count on it. There would be artifacts created if the system conditions were right. Those artifacts would also be eroded according to the system conditions, usage, and time since the event.

Are you trying to determine if you have had some files stolen, or are you just wondering? If it is the latter, then you should really turn your attention towards the logging/auditing solutions. If you hand has been forced, you should just kill whom ever you suspect of stealing the files before they can distribute/deliver them. Burring their living space and surrounding areas to the ground would give a little more assurance that any stolen data was destroyed.

Of course, my last suggestion is illegeal and I am only kidding about actually carrying out such drastic measures. If you think you have had a security breach and want to talk it through with someone, you can contact me and I'll spend sometime helping you as much as I can.