Message - For displaying errors or target issues

TeraCopy is a great file transfer tool that I have been using for years because it was always faster than the Windows built in copier, allowed for pausing/resuming as well as many other features Microsoft lacked in Win7 (Win10 has added some of those). The other big thing that it was helpful with was that TeraCopy would keep all the original date/time stamps of the documents regardless if you used copy or move which was very helpful for keeping the forensic validity intact.

For information on the interface, you can find screenshots and descriptions here.

A recent case took me down the path of seeing if a user had stolen documents after they left the company for a possible competitor. My first instincts were to look at the usual locations: USB history, Recent folder and LNKs, shellbags, and Outlook/webmail. I noticed some activity that a USB drive was plugged in a week prior to the users departure date as well as some shellbag activity showing some folder structuring into what that USB had on it.

In my searchings I just so happened to stumble upon the DB log file for TeraCopy so naturally I decided to open it up and see what was inside. I'VE HIT THE MOTHERLOAD!


This folder contains the "main.db" file which shows a list of TeraCopy jobs that were run. It also has another folder titled History which has separate DB files for each job that was run.

For this post we'll focus on the main.db file. It has 11 columns broken down to include the name of jobs run, the date/time the job was started, the source and target destinations for the jobs, the amount of files and the total size of the files in the job.

State - status of the job
0 - Pending (will also show this when Operation is Test)
1 - TBD, couldn't replicate but happened when copying the database file at the same time it was being written to I believe
2 - Completed

Name - name of the job (YYMMDD-HHMMSS naming convention, in UTC)

Started - date/time when the job was started in Julian format with offset of the computer's timezone (Never saw that format until now, thanks NASA for the clue!)

Finished - TBD, always been empty

Operation - Type of operation that was performed in the job
1 - Copy
2 - Move
3 - Test (basically a verification check)
6 - Delete (provides a deletion screen, with 3 options, all which lead to the same operation number)

I had the pleasure of going to one of my local BSides conferences down in Delaware this weekend. It's my third year going to this specific one and to me the talks keep getting better and better each year. Below are just a few takeaways from the talks I went to. A full list of talks can be found here.

Bryan Inagaki kicked things off with the keynote. He stressed having a good work life balance which is always welcomed from my perspective (TAKE THAT PTO).
[Talk Link]