Question on USB dri...
 
Notifications
Clear all

Question on USB drive

4 Posts
4 Users
0 Likes
588 Views
(@psl485)
Posts: 4
New Member
Topic starter
 

Hello,

I am trying to track the first time a USB Drive driver was installed on a Windows 7 computer. I located the Container ID and Class GUID for the USB drive, but there was no serial number linked to it in the Enum/USBSTOR registry file. I also located the hardware ID in the Enum/USB registry file. I then tried to locate the driver installation in setupAPI.DEV.log. in the Root/Windows/INF folder to view it but it was not there. The only setupapi files that were in the folder were setupapi.ev1, setupapi.ev2, setupapi.ev3 and setupAPI.offline.log.

Is it still possible to track driver installation without the serial number?

Does this mean that there is not a setupAPI.Dev.log file?

Also is there another way to locate the time and date of the USB driver installation?

Thanks

 
Posted : 14/10/2014 8:24 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

Did you check the DriverFramework-UserMode/Operational.evtx Windows Event Log file?

Did you create a timeline using just the contents of the above .evtx file, the Software, System, and NTUSER.DAT hives?

 
Posted : 15/10/2014 12:27 am
(@deltron)
Posts: 125
Estimable Member
 

You check the cheat sheet for any locations you may of missed
http//digital-forensics.sans.org/media/poster_fall_2013_forensics_final.pdf

 
Posted : 16/10/2014 12:47 am
(@missicey)
Posts: 12
Active Member
 

That poster is really great, Thanks Deltron!

 
Posted : 19/10/2014 10:16 pm
Share: