Hi All:

Happy New Year (dang - time flies it's almost Jan end)

Is there a way to tell when a USB device (in this case a thumbdrive) was *removed* from a laptop? We have the date it was first inserted. User claims they inserted and removed it immediately. Is there a way to tell when it was removed OR how long it was plugged in for?

Also, just want to double check....
Unless data on the usb device is viewed or opened we would not see any mention of those files on the suspect machine (assuming that data has never been viewed on that machine before) - is that correct? If a user were to view thumbdrive in Explorer, R+Click the files and copy and paste them to a server drive, there would be no evidence of that being done. Are my assumptions correct?

I believe the OS is WinXP.

Thanks for any help.
-=Art=-  

Have you had a look in the Shellbags?

If its a Windows 7 machine , the usrclass.dat file can contain information about folders which have been accessed, which could be useful.
Even if it is XP, the ntuser.dat shellbags may contain the stuff you need.  

have you put together a timeline of the activity on the system around the time the usb was inserted?
if you see usage after it was inserted then it would be hard to say that it was removed immediately

other than that im not sure. i wonder if windows logs when the safely remove feature it used. might be worth testing and see if you find anything note worthy  

- minime2k9

Have you had a look in the Shellbags?

If its a Windows 7 machine , the usrclass.dat file can contain information about folders which have been accessed, which could be useful.

How so?  

- 4n6art

Unless data on the usb device is viewed or opened we would not see any mention of those files on the suspect machine (assuming that data has never been viewed on that machine before) - is that correct?

Reason through it...user connects a USB device to an XP system, opens Explorer and then drags files to it, without opening the files once they've been copied. Or, let's just say that the user right-clicks, and chooses "Send To..."...and again, does not open the files once they've been copied over to the device.

Given this, what artifacts would you *expect* to see, and where would you find said artifacts?

- 4n6art

If a user were to view thumbdrive in Explorer, R+Click the files and copy and paste them to a server drive, there would be no evidence of that being done. Are my assumptions correct?

Again, same thought process...reason through it, and tell me/us what you would expect to see...  

- keydet89

- minime2k9

Have you had a look in the Shellbags?

If its a Windows 7 machine , the usrclass.dat file can contain information about folders which have been accessed, which could be useful.

How so?

www.williballenthin.co...index.html

See section under "folderdata".

Did have a better link but can't find it now  

- minime2k9

www.williballenthin.co...index.html

See section under "folderdata".

Thanks, but that's really not what I was referring to. I'm very familiar with shellbags, as well as the tools that are commonly used to enumerate these artifacts. In fact, several of the commonly endorsed tools miss some (IMHO) important pieces of data.

It's also important to understand how shellbags are created on various versions of Windows. As such, what I was asking is, how would you recommend to the OP to use these artifacts in pursuit of their stated goals?

Thanks