Skip to content
OS

1.1 Fundamentals

Content is coming soon!

Hiding Files in Windows

https://www.youtube.com/watch?v=VcqtWsbSbgU

Track files copied from hard disk to USB

Yes, it is possible to track files copied from a hard disk to a USB drive on Windows, but it requires setting up auditing or using third-party tools. Here’s how you can do it:

1. Enable Audit Policies for File Access

Windows includes auditing features to monitor file operations. Here’s how you can set it up:

Step 1: Enable Object Access Auditing

  1. Open the Local Group Policy Editor:
    • Press Win + R, type gpedit.msc, and press Enter.
  2. Navigate to: 
    Computer Configuration > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Object Access > Audit File System
  3. Enable Success and Failure auditing for the file system.

Step 2: Set Auditing on Specific Folders

  1. Right-click the folder you want to track, and select Properties.
  2. Go to the Security tab and click Advanced.
  3. Switch to the Auditing tab and click Add.
  4. Add the user or group you want to audit and select the file operations to track (e.g., “Read”, “Write”).
  5. Apply the changes.

Step 3: Monitor Event Logs

  • Open the Event Viewer:
    • Press Win + R, type eventvwr.msc, and press Enter.
  • Navigate to: 
    Windows Logs > Security
  • Look for Event ID 4663 for file access or 4656 for file handle creation.

2. Use Third-Party Tools

Several tools provide a more user-friendly way to monitor USB file activity:

  • USB Loggers: Tools like USBDeview can log file transfers.
  • Data Loss Prevention (DLP) Software: Enterprise-grade tools like Symantec DLP or McAfee Total Protection can monitor and block unauthorized file transfers.
  • File Activity Monitors: Applications like FolderChangesView or Netwrix Auditor can track and log file operations, including USB transfers.

3. PowerShell or Custom Scripting

You can also write a custom PowerShell script to monitor file copy operations. For example:

  • Use Get-EventLog to analyze file-related audit logs.
  • Monitor USB mount events using the Win32_VolumeChangeEvent class in PowerShell.

4. Enable File History or Shadow Copies

If tracking is needed retrospectively, enabling File History or Volume Shadow Copies can help you see which files were changed, although it doesn’t log USB transfers directly.

Would you like guidance on setting up any specific method?