Robocopy in e-Discovery

By March 5, 2012Software

Most legal professionals regularly handle electronic evidence in one form or another. Even if you are not an e-Discovery or computer forensics expert, there are steps you can take to make sure you are not spoliating electronic evidence.

Most of us are aware of the fact that opening a file usually changes file metadata as well as, in some cases, file contents. However, did you know that the mere act of copying a file from one folder to another using Windows Explorer causes the following changes?

  • The file system last accessed date of the source file is updated to the present date/time
  • The copy (destination file) receives the present date/time as its file system creation and last accessed dates

File system date/time values are valuable information that can be captured during e-Discovery processing or a forensic examination and can be used to shed light on, among other things, when a document was created, accessed and modified. You can help preserve this information by utilizing Robocopy to copy files instead of Windows Explorer.

Robust File Copy (Robocopy) is a free command-line replication tool from Microsoft. It has been a part of Windows distributions since Windows Vista, and is available as a separate download for earlier versions of Windows such as Windows 2003 and Windows XP. Even though it can take a large number of parameters and can look intimidating to use at first, it only takes a few minutes to get the hang of it and figure out which parameters suit your purposes the best.

Versions of Robocopy

VersionYearSource
1.71997Windows NT Resource Kit
1.711997Windows NT Resource Kit
1.951999Windows 2000 Resource Kit
1.961999Windows 2000 Resource Kit
XP0102003Windows 2003 Resource Kit
XP0262005Distributed with Robocopy GUI v.3.1.2
XP0272008Bundled with Windows Vista, Server 2008 and later
6.12009Bundled with Windows 7

Using Robocopy version XP026 or higher is recommended as some of the options that we will refer to here were not available before that version. Robocopy XP026 can be downloaded as part of Robocopy GUI v.3.1.2.

Robocopy Usage

Syntax

The basic Robocopy syntax is a follows:

robocopy <Source> <Destination> [<File>[ …]] [<Options>]
SourceThe source directory path
DestinationDestination directory path
FileFiles or file types to be copied (e.g. “*.txt” to copy files with the “.txt” extension. Defaults to “*.*” if not specified.)
OptionsOptions to be used during the copy operation.

Notable Options

/copy:DATThis option tells robocopy to copy the file Data, Attributes and Time stamps. Depending on the scenario, Robocopy can also copy NTFS access control list, Owner information and Auditing information (/copy:DATSOU)
/dcopy:TThis option is used to copy directory time stamps
/eThis option copies subfolders, including empty ones
/r:3This is for Robocopy to retry 3 times in the event of a failed copy
/w:2This is to wait for 2 seconds between each retry attempt
/xjExcludes junction points (see section below)
/ndlPrevents directory names from being logged
/npPrevents the progress information from being displayed or logged
/teeWrites the status output to the console window in addition to the log file
/tsIncludes source file time stamps in the log
/unilog+:[log file path]Keeps a written log of the copy operation in Unicode (appends the output to the existing log file). This should be preferred to the “/log+” switch if there is a possibility that folder/file names can contain non-ANSI characters
/maxage:yyyymmddExcludes files older than date by last modification date
/minage:yyyymmddExcludes files newer than date by last modification date
/mt:NPerforms multi-threaded copy operation using N (1-128) threads. Applies only to Windows Server 2008 R2 and Windows 7

The “/ndl” and “/np” switches are used here to control how the log file is formatted so that a file listing with full directory paths can be obtained. This listing can be fed into other scripts or software for further processing, such as generating MD5 hash values.

For a full list of options and more detailed information, visit http://technet.microsoft.com/en-us/library/cc733145%28v=ws.10%29.aspx

Sample log file

-----------------------------------------------------------------------------
 ROBOCOPY     ::     Robust File Copy for Windows     ::     Version XP026
-----------------------------------------------------------------------------

Started : Mon Mar 05 14:39:25 2012

 Source : D:\MySourceFiles\
   Dest : E:\MyDestination\

  Files : *.*
   
Options : *.* /TS /NDL /TEE /S /E /COPY:DAT /DCOPY:T /NP /R:3 /W:2 

----------------------------------------------------------------------------

   New File  		      19 2012/03/05 20:44:40	D:\MySourceFiles\File1.txt
   New File  		      21 2012/03/05 20:44:43	D:\MySourceFiles\File2_日本語.txt
   New File  		       7 2012/03/05 20:44:34	D:\MySourceFiles\Folder1\File3.txt

----------------------------------------------------------------------------

              Total    Copied   Skipped  Mismatch    FAILED    Extras
   Dirs :         2         1         1         0         0         0
  Files :         3         3         0         0         0         0
  Bytes :        47        47         0         0         0         0
  Times :   0:00:00   0:00:00                       0:00:00   0:00:00

  Ended : Mon Mar 05 14:39:25 2012

Examples

The following command would copy all files/folders from the file path “D:\MySourceFiles” to the file path “E:\MyDestination” and create a copy log at “E:\CopyLogs\MyCopyLog.log”

robocopy “D:\MySourceFiles” “E:\MyDestination” /copy:DAT /dcopy:T /e /r:3 /w:2 /ndl /np /tee /ts /unilog+:”E:\CopyLogs\MyCopyLog.log”

The following command would copy only the files with “.txt”, “.jpg” and “.tif” extensions:

robocopy “D:\MySourceFiles” “E:\MyDestination” *.txt *.jpg *.tif /copy:DAT /dcopy:T /e /r:3 /w:2 /ndl /np /tee /ts /unilog+:”E:\CopyLogs\MyCopyLog.log”

The following command would copy only the files with “.txt”, “.jpg” and “.tif” extensions that have last modification dates within the 02/01/2010 – 04/30/2010 date range (not inclusive):

robocopy “D:\MySourceFiles” “E:\MyDestination” *.txt *.jpg *.tif /copy:DAT /dcopy:T /MAXAGE:20100201 /MINAGE:20100430 /e /r:3 /w:2 /ndl /np /tee /ts /unilog+:”E:\CopyLogs\MyCopyLog.log”

Windows Vista, Windows 7 and NTFS Junction Points

NTFS Junction points are a feature of the New Technology File System (NTFS) and allow symbolic links to a directory to be created. These symbolic links act as an alias of that directory.

Starting with Windows Vista, Microsoft changed the way certain critical folders were stored on the hard drive. For backward compatibility, the old folder names were also retained as junction points. For example, the “C:\Documents and Settings” location does not actually exist in a Windows Vista system, but points to the actual “C:\Users” folder.

In certain instances, a junction point can redirect to a parent folder, causing Robocopy to fall into an infinite loop. To prevent this from happening, you can use the “/XJ” switch to prevent Robocopy from parsing NTFS junction points.

The following command would copy all files/folders from the C: drive of a Windows 7 system to the file path “E:\MyDestination” and create a copy log at “E:\CopyLogs\MyCopyLog.log”

robocopy “C:” “E:\MyDestination” /copy:DAT /dcopy:T /e /r:3 /w:2 /ndl /np /tee /ts /xj /unilog+:”E:\CopyLogs\MyCopyLog.log”

Robocopy is a trademark of Microsoft. Windows is a registered trademark of Microsoft. Other products or services may be trademarks or registered trademarks of their respective companies.

Arman Gungor

About Arman Gungor

Arman Gungor is a certified computer forensic examiner (CCE) and an adept e-Discovery expert with over 21 years of computer and technology experience. Arman has been appointed by courts as a neutral computer forensics expert as well as a neutral e-Discovery consultant. His electrical engineering background gives him a deep understanding of how computer systems are designed and how they work.