TeraCopy: A Forensic Analysis (Part 1)

TeraCopy is a great file transfer tool that I have been using for years because it was always faster than the Windows built in copier, allowed for pausing/resuming as well as many other features Microsoft lacked in Win7 (Win10 has added some of those). The other big thing that it was helpful with was that TeraCopy would keep all the original date/time stamps of the documents regardless if you used copy or move which was very helpful for keeping the forensic validity intact.

For information on the interface, you can find screenshots and descriptions here.

A recent case took me down the path of seeing if a user had stolen documents after they left the company for a possible competitor. My first instincts were to look at the usual locations: USB history, Recent folder and LNKs, shellbags, and Outlook/webmail. I noticed some activity that a USB drive was plugged in a week prior to the users departure date as well as some shellbag activity showing some folder structuring into what that USB had on it.

In my searchings I just so happened to stumble upon the DB log file for TeraCopy so naturally I decided to open it up and see what was inside. I'VE HIT THE MOTHERLOAD!


This folder contains the "main.db" file which shows a list of TeraCopy jobs that were run. It also has another folder titled History which has separate DB files for each job that was run.

For this post we'll focus on the main.db file. It has 11 columns broken down to include the name of jobs run, the date/time the job was started, the source and target destinations for the jobs, the amount of files and the total size of the files in the job.

State - status of the job
0 - Pending (will also show this when Operation is Test)
1 - TBD, couldn't replicate but happened when copying the database file at the same time it was being written to I believe
2 - Completed

Name - name of the job (YYMMDD-HHMMSS naming convention, in UTC)

Started - date/time when the job was started in Julian format with offset of the computer's timezone (Never saw that format until now, thanks NASA for the clue!)

Finished - TBD, always been empty

Operation - Type of operation that was performed in the job
1 - Copy
2 - Move
3 - Test (basically a verification check)
6 - Delete (provides a deletion screen, with 3 options, all which lead to the same operation number)

Source - Folder location of the source folder/file (will show "multiple" if more than one file was dragged from different sources)

Target - Folder location of where the job was executed (operations Test and Delete leave this blank)

Overwrite - TBD, always been empty

Close - TBD, always been empty

Files - The total count of files in the job

Size - The total size of all the files (in bytes) in the job

Part 2 will look at the History folder and job DB's.

UPDATE 11/23/2018: Part 2 is live

UPDATE 12/3/2018: Part 3 is live