Method for Detecting Remaining Files that Contain Copied Data by Monitoring Clipboard and Directory

This paper focuses on information leaks caused by the human mistake of forgetting to delete copied files from portable storage media. We propose a processing method that obtains relevant logs and detects remaining files in order to determine the remaining files that contain copied data, even if only a part of the data in the file on the portable storage medium has been copied. The proposed processing method for obtaining the relevant logs monitors the state of both clipboard and directory and creates logs. Information recorded in a log includes the type of change that occurred in a directory, the date of the recording, and the name and path of the changed file on a personal computer. The proposed processing method for detecting the remaining files comprises three steps. First, a log entry for the clipboard is searched sequentially, starting at the head of the log file. Next, the entry indicating the path and name of the file containing the copied data is identified. Finally, it is ascertained that files containing copied data remain if an entry indicating the deletion of such files is not found. Various file operations were tested on Microsoft Windows XP and Windows 7. Our experimental results suggest that the copy operation performed on a portion of data was distinguished by using the change logs of the clipboard and the directories. The remaining files that contained copied data were correctly detected.