TeraCopy: A Forensic Analysis (Part 2)

In the part one we went over the details found in the "main.db" file for TeraCopy. Here we will review what the History folder looks like. It can be found in here:


Each individual job that was run will get it's own History DB file. The naming convention as previously shown 

The DB file contains 15 columns as shown below:

Source - File/Folder name source

Offset - Start index position of the file/folder name from the source folder location

State - The state of the operation per file/folder 
0 - Added
1 - OK
2 - Verified
3 - Error
4 - Skipped
5 - Deleted
6 - Moved

Size - Size of the file in bytes

Attributes - properties of the individual files (source)

IsFolder - self explanatory
0 - No
1 - Yes

Creation, Access, Write - Shows the created, access, and modified dates of the file/folder in Julian format

SourceCRC - Hash of the file (MD5 by default)

TargetCRC - Verification hash post operation completion (not on by default)

TargetName - New name of the file if you copy/move and it is a duplicate

Message - For displaying errors or target issues

Marked - TBD

Hidden - Added to the operation but removed before/during ("Right click > Remove selected" from File List
0 - No
1 - Yes

One caveat for these logs is that in the interface for TeraCopy you can change the retention to 3 different options:

Never Keep History
Keep History for 1 day
Keep History for 1 week (default)

Though these options are hidden under a menu, it is easily configurable with some technical knowledge.

While TeraCopy might not be widely used, it is a huge benefit from a forensic perspective if you happen to stumble upon it in an investigation and have access to the logs.

UPDATE 12/3/2018: Part 3 is live