Tuesday, June 10, 2014

Daily Blog #351: Sunday Funday 6/8/14 Winner!

Hello Reader,
       Thanks to all of you who voted, I won the best forensic blog of the year Forensic 4:Cast Award! With that said, it's time to crown a winner before posting today's slides tomorrow. Another Sunday come and gone and only two left to go in the year of blogging. I got several good answers to this weeks challenge, though I'll be honest there are still more places to look!

The Challenge:
Other than USBStor, EMDMgmt, MountedDevices, MountPoints2 and DeviceClasses registry keys how many other locations, registry or otherwise, on a Windows 7 system can you find timestamps of an external storage device being attached.

The Winning Answer:
Anonymous

First connected timestamp for the USB device can be found from C:\Windows\inf\setupapi.dev.log
The following event log tracks last connected timestamp: 
Microsoft-Windows-DriverFrameworks-UserMode/Operational
Timestamp can also be found in the PnP log under system event log (event ID 20001).
The following registry key tree keeps track of the drive letters assigned to portable devices: 
SOFTWARE\Microsoft\"Windows Portable Devices"\
The following registry key also shows the USB device information:
                  SYSTEM\CurrentControlSet\Control\usbflags
The following registry tree contains information about the devices on the system including USB devices: 
SYSTEM\CurrentControlSet\Enum\WpdBusEnumRoot\UMB\
In addition to this, VSC can be queried to see historical timestamps.