Hello Reader,
Thanks to all of you who voted, I won the best forensic blog of the year Forensic 4:Cast Award! With that said, it's time to crown a winner before posting today's slides tomorrow. Another Sunday come and gone and only two left to go in the year of blogging. I got several good answers to this weeks challenge, though I'll be honest there are still more places to look!
The Challenge:
Other than USBStor, EMDMgmt, MountedDevices, MountPoints2 and DeviceClasses registry keys how many other locations, registry or otherwise, on a Windows 7 system can you find timestamps of an external storage device being attached.
The Winning Answer:
Anonymous
Thanks to all of you who voted, I won the best forensic blog of the year Forensic 4:Cast Award! With that said, it's time to crown a winner before posting today's slides tomorrow. Another Sunday come and gone and only two left to go in the year of blogging. I got several good answers to this weeks challenge, though I'll be honest there are still more places to look!
The Challenge:
Other than USBStor, EMDMgmt, MountedDevices, MountPoints2 and DeviceClasses registry keys how many other locations, registry or otherwise, on a Windows 7 system can you find timestamps of an external storage device being attached.
The Winning Answer:
Anonymous
First connected timestamp for the USB device can be found from C:\Windows\inf\setupapi.dev.logThe following event log tracks last connected timestamp:Microsoft-Windows-DriverFrameworks-UserMode/OperationalTimestamp can also be found in the PnP log under system event log (event ID 20001).The following registry key tree keeps track of the drive letters assigned to portable devices:SOFTWARE\Microsoft\"Windows Portable Devices"\The following registry key also shows the USB device information:SYSTEM\CurrentControlSet\Control\usbflagsThe following registry tree contains information about the devices on the system including USB devices:SYSTEM\CurrentControlSet\Enum\WpdBusEnumRoot\UMB\In addition to this, VSC can be queried to see historical timestamps.
Also Read: Daily Blog #350
Post a Comment