±Forensic Focus Partners

±Your Account


Nickname
Password


Forgotten password/username?


Membership:
New Today: 0
New Yesterday: 1
Overall: 27354
Visitors: 57

±Follow Forensic Focus

Join our LinkedIn group

Subscribe to news

Subscribe to forums

Subscribe to blog

Subscribe to tweets

USB Removal Date/Time

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Go to page 1, 2  Next 
  

USB Removal Date/Time

Post Posted: Fri Jan 25, 2013 12:02 am

Hi All:

Happy New Year Very Happy (dang - time flies it's almost Jan end)

Is there a way to tell when a USB device (in this case a thumbdrive) was *removed* from a laptop? We have the date it was first inserted. User claims they inserted and removed it immediately. Is there a way to tell when it was removed OR how long it was plugged in for?

Also, just want to double check....
Unless data on the usb device is viewed or opened we would not see any mention of those files on the suspect machine (assuming that data has never been viewed on that machine before) - is that correct? If a user were to view thumbdrive in Explorer, R+Click the files and copy and paste them to a server drive, there would be no evidence of that being done. Are my assumptions correct?

I believe the OS is WinXP.

Thanks for any help.
-=Art=-  

4n6art
Senior Member
 
 
  

Re: USB Removal Date/Time

Post Posted: Fri Jan 25, 2013 3:12 am

Have you had a look in the Shellbags?

If its a Windows 7 machine , the usrclass.dat file can contain information about folders which have been accessed, which could be useful.
Even if it is XP, the ntuser.dat shellbags may contain the stuff you need.  

minime2k9
Senior Member
 
 
  

Re: USB Removal Date/Time

Post Posted: Fri Jan 25, 2013 5:10 am

have you put together a timeline of the activity on the system around the time the usb was inserted?
if you see usage after it was inserted then it would be hard to say that it was removed immediately

other than that im not sure. i wonder if windows logs when the safely remove feature it used. might be worth testing and see if you find anything note worthy  

randomaccess
Senior Member
 
 
  

Re: USB Removal Date/Time

Post Posted: Fri Jan 25, 2013 8:00 am

- minime2k9
Have you had a look in the Shellbags?

If its a Windows 7 machine , the usrclass.dat file can contain information about folders which have been accessed, which could be useful.


How so?  

keydet89
Senior Member
 
 
  

Re: USB Removal Date/Time

Post Posted: Fri Jan 25, 2013 8:06 am

- 4n6art

Unless data on the usb device is viewed or opened we would not see any mention of those files on the suspect machine (assuming that data has never been viewed on that machine before) - is that correct?


Reason through it...user connects a USB device to an XP system, opens Explorer and then drags files to it, without opening the files once they've been copied. Or, let's just say that the user right-clicks, and chooses "Send To..."...and again, does not open the files once they've been copied over to the device.

Given this, what artifacts would you *expect* to see, and where would you find said artifacts?

- 4n6art
If a user were to view thumbdrive in Explorer, R+Click the files and copy and paste them to a server drive, there would be no evidence of that being done. Are my assumptions correct?


Again, same thought process...reason through it, and tell me/us what you would expect to see...  

keydet89
Senior Member
 
 
  

Re: USB Removal Date/Time

Post Posted: Fri Jan 25, 2013 8:43 am

- keydet89
- minime2k9
Have you had a look in the Shellbags?

If its a Windows 7 machine , the usrclass.dat file can contain information about folders which have been accessed, which could be useful.


How so?


www.williballenthin.co...index.html

See section under "folderdata".

Did have a better link but can't find it now Sad  

minime2k9
Senior Member
 
 
  

Re: USB Removal Date/Time

Post Posted: Fri Jan 25, 2013 12:10 pm

- minime2k9

www.williballenthin.co...index.html

See section under "folderdata".


Thanks, but that's really not what I was referring to. I'm very familiar with shellbags, as well as the tools that are commonly used to enumerate these artifacts. In fact, several of the commonly endorsed tools miss some (IMHO) important pieces of data.

It's also important to understand how shellbags are created on various versions of Windows. As such, what I was asking is, how would you recommend to the OP to use these artifacts in pursuit of their stated goals?

Thanks  

keydet89
Senior Member
 
 
Reply to topicReply to topic

Share this forum topic to encourage more replies



Page 1 of 2
Go to page 1, 2  Next