In the part one we went over the details found in the "main.db" file for TeraCopy. Here we will review what the History folder looks like. It can be found in here:
C:\Users\<USERNAME>\AppData\Roaming\Teracopy\History
Each individual job that was run will get it's own History DB file. The naming convention as previously shown
The DB file contains 15 columns as shown below:
Source - File/Folder name source
Offset - Start index position of the file/folder name from the source folder location
State - The state of the operation per file/folder
0 - Added
1 - OK
2 - Verified
3 - Error
4 - Skipped
5 - Deleted
6 - Moved
Size - Size of the file in bytes
Attributes - properties of the individual files (source)
IsFolder - self explanatory
0 - No
1 - Yes
Creation, Access, Write - Shows the created, access, and modified dates of the file/folder in Julian format
SourceCRC - Hash of the file (MD5 by default)
TargetCRC - Verification hash post operation completion (not on by default)
TargetName - New name of the file if you copy/move and it is a duplicate
Marked - TBD
Hidden - Added to the operation but removed before/during ("Right click > Remove selected" from File List
0 - No
1 - Yes
One caveat for these logs is that in the interface for TeraCopy you can change the retention to 3 different options:
Never Keep History
Keep History for 1 day
Keep History for 1 week (default)
Though these options are hidden under a menu, it is easily configurable with some technical knowledge.
While TeraCopy might not be widely used, it is a huge benefit from a forensic perspective if you happen to stumble upon it in an investigation and have access to the logs.
UPDATE 12/3/2018: Part 3 is live