Autopsy 4 and attac...
 
Notifications
Clear all

Autopsy 4 and attached devices

5 Posts
2 Users
0 Likes
3,650 Views
 Mobo
(@mobo)
Posts: 15
Active Member
Topic starter
 

I'm viewing a disk image in Autopsy v4 and am being puzzled [not difficult for me!!] by some data concerning some attached devices I am interested in.

Under the modules I ran for extracted content / Devices attached, I see at the top ROOT_HUB20 with a device ID together with a date & time.

At the same Date/Time [to the second] are attached 4 devices I am interested in - 3 x USB sticks plus a WD portable HDD - along with the other expected devices such as keyboard & Mouse etc.

This occurs again on another date 5 days later - the ROOT_HUB20 followed by the same devices all at the same time/date.

When I cross reference this to the Registry I am seeing the same 3 x USB devices plus the WD portable HDD, but all at completely different time/dates to the above and different to each other.

I have so far assumed that on the 2 former occasions when they all appear at the same time/date, they have been attached via a USB Hub, which may explain the time/date stamps.

I have then assumed that the latter information from the Registry time/date stamps are the last occasion the devices were attached singularly?

Am I right or way out wrong???

Thanks in anticipation.

 
Posted : 20/11/2015 8:00 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

A couple of things that might be helpful…

What is the OS of the image you're looking at?

Do you know from where the data in question is being retrieved?

One of the biggest issues with digital forensic analysis is not data extraction…it's data interpretation. I'd suggest determining where the time stamps you're looking at are being retrieved from, as there are number of locations within the System hive file alone from which data about attached devices can be retrieved, but not all of their time stamps pertain to when the device was actually connected to the system.

 
Posted : 20/11/2015 10:44 pm
 Mobo
(@mobo)
Posts: 15
Active Member
Topic starter
 

Thanks.

The OS on the image is W7 Professional edition.

The path of all the devicesthat appeared connected at the same time that I'm interested in is-

Windows/System32/config/RegBack/SYSTEM

I take it then these time/date stamps are inaccurate and I should follow the ones straight from the Registry hive I obtained which is-

\Windows\System32\Config\SYSTEM\ControlSet001\Enum\USBSTOR

 
Posted : 21/11/2015 1:25 am
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

The OS on the image is W7 Professional edition.

The path of all the devicesthat appeared connected at the same time that I'm interested in is-

Windows/System32/config/RegBack/SYSTEM

That's a backed up copy of a Registry file…why are you interested in devices that appear in this hive, rather than those that appear in the system32\config\SYSTEM hive?

I take it then these time/date stamps are inaccurate and I should follow the ones straight from the Registry hive I obtained which is-

\Windows\System32\Config\SYSTEM\ControlSet001\Enum\USBSTOR

Why do you say that? What resource are your referencing?

 
Posted : 21/11/2015 3:04 am
 Mobo
(@mobo)
Posts: 15
Active Member
Topic starter
 

It's more about the connected devices that I am interested in.

They all appear in the specified locations.

It's the differing times that's confusing me. I appreciate one is the Back up copy of the registry, but what are the time/date stamps?

 
Posted : 21/11/2015 4:12 am
Share: