Determining how lon...
 
Notifications
Clear all

Determining how long an external USB drive is connected

7 Posts
6 Users
0 Likes
827 Views
(@mekaniq)
Posts: 4
New Member
Topic starter
 

I need to determine how long an external USB hard drive was connected to a Windows7 OS computer. Any ideas about where to look at it; i.e. registry, event viewer and/or any other logs?

 
Posted : 27/09/2010 8:49 pm
(@dave-hull)
Posts: 15
Active Member
 

I don't believe you'll be able to get that information. Unless there are some artifacts that we don't know about yet. You can often determine the first time a usb device was connected by looking in the setupapi.log or setupapi.dev.log on Windows 7. This file should contain references to the device being installed the first time.

For subsequent installations and use of the device, you'll need to consult the Registry including the specific user's Registry profile. Check out

https://blogs.sans.org/computer-forensics/files/2009/08/usb_device_forensics_vista_win7_guide.pdf
http//blogs.sans.org/computer-forensics/files/2009/09/USBKEY-Guide.pdf

for additional details on where to find USB artifacts.

Also, Harlan Carvey's Windows Forensic Analysis 2nd Edition has some great information on this type of investigation.

Again as far as I know, you can't determine how long a device was plugged in. You can determine when it was first plugged in and subsequent times after that, but to my knowledge, no artifact exists that will tell you when the device was removed.

 
Posted : 28/09/2010 11:53 pm
(@bgaines)
Posts: 9
Active Member
 

I agree with Dave.hull, I don't know of any way to determine how long it has been plugged in. All you can do is attempt to extrapolate based on other evidence.

 
Posted : 29/09/2010 12:11 am
(@mekaniq)
Posts: 4
New Member
Topic starter
 

Thank you very much; I'll try with this information and post results…

Cheers!

 
Posted : 29/09/2010 4:04 pm
ehuber
(@ehuber)
Posts: 91
Trusted Member
 

I posted indirectly about this on the SANS Forensic Blog. One of the things that occurred to me when I was reviewing a timeline for a recent case was that the last accessed times of sound files on a system might be a way to determine when a USB device started and stopped interacting with a computer.

 
Posted : 29/09/2010 7:48 pm
(@cults14)
Posts: 367
Reputable Member
 

ehuber - neat trick!!

mekaniq - not done any W7 systems, on XP Pro I've got as much info about files accessed on external drives as I could (LinkAlyzer, Windows Forensic Analysis, Windows File Analyzer, NetAnalysis, HsTex), got info from Registry about external media (RegRipper, Registry Viewer et al) and then matched files to devices where possible using timeline

You can mebbe get Last Time Connected following Rob Lee's very helpful guide http//blogs.sans.org/computer-forensics/files/2009/09/USB_Drive_Enclosure-Guide.pdf

HTH

 
Posted : 30/09/2010 4:15 pm
pbobby
(@pbobby)
Posts: 239
Estimable Member
 

The simplest test is to try for yourself.

Run a snapshot tool before and after plugging in/disconnecting an external USB device.

 
Posted : 01/10/2010 7:22 am
Share: