Top Ad unit 728 × 90

Latest News

random

Daily Blog #351: Sunday Funday 6/8/14 Winner!

Hello Reader,
       Thanks to all of you who voted, I won the best forensic blog of the year Forensic 4:Cast Award! With that said, it's time to crown a winner before posting today's slides tomorrow. Another Sunday come and gone and only two left to go in the year of blogging. I got several good answers to this weeks challenge, though I'll be honest there are still more places to look!

The Challenge:
Other than USBStor, EMDMgmt, MountedDevices, MountPoints2 and DeviceClasses registry keys how many other locations, registry or otherwise, on a Windows 7 system can you find timestamps of an external storage device being attached.

The Winning Answer:
Anonymous

First connected timestamp for the USB device can be found from C:\Windows\inf\setupapi.dev.log
The following event log tracks last connected timestamp: 
Microsoft-Windows-DriverFrameworks-UserMode/Operational
Timestamp can also be found in the PnP log under system event log (event ID 20001).
The following registry key tree keeps track of the drive letters assigned to portable devices: 
SOFTWARE\Microsoft\"Windows Portable Devices"\
The following registry key also shows the USB device information:
                  SYSTEM\CurrentControlSet\Control\usbflags
The following registry tree contains information about the devices on the system including USB devices: 
SYSTEM\CurrentControlSet\Enum\WpdBusEnumRoot\UMB\
In addition to this, VSC can be queried to see historical timestamps.

 

Daily Blog #351: Sunday Funday 6/8/14 Winner! Reviewed by David Cowen on June 10, 2014 Rating: 5

No comments:

All Rights Reserved by Hacking Exposed Computer Forensics Blog © 2014 - 2020
Powered By Blogger, Designed by Sweetheme

Contact Form

Name

Email *

Message *

Powered by Blogger.