Sunday, June 8, 2014

Daily Blog #350: Sunday Funday 6/8/14

Hello Reader,
              If  you watched the Forensic Lunch yesterday you would have heard Matthew and I talking about developing tools for DFIR. Let's see how well you can quickly research and determine what artifacts you may be missing.

The Prize:
$200 Amazon Giftcard

The Rules:
  1. You must post your answer before Monday 6/9/14 7PM CST (GMT -5)
  2. The most complete answer wins
  3. You are allowed to edit your answer after posting
  4. If two answers are too similar for one to win, the one with the earlier posting time wins
  5. Be specific and be thoughtful 
  6. Anonymous entries are allowed, please email them to dcowen@g-cpartners.com. Please state in your email if you would like to be anonymous or not if you win.
  7. In order for an anonymous winner to receive a prize they must give their name to me, but i will not release it in a blog post



The Challenge:
Other than USBStor, EMDMgmt, MountedDevices, MountPoints2 and DeviceClasses registry keys how many other locations, registry or otherwise, on a Windows 7 system can you find timestamps of an external storage device being attached.