Hi All
Happy New Year D (dang - time flies it's almost Jan end)
Is there a way to tell when a USB device (in this case a thumbdrive) was *removed* from a laptop? We have the date it was first inserted. User claims they inserted and removed it immediately. Is there a way to tell when it was removed OR how long it was plugged in for?
Also, just want to double check….
Unless data on the usb device is viewed or opened we would not see any mention of those files on the suspect machine (assuming that data has never been viewed on that machine before) - is that correct? If a user were to view thumbdrive in Explorer, R+Click the files and copy and paste them to a server drive, there would be no evidence of that being done. Are my assumptions correct?
I believe the OS is WinXP.
Thanks for any help.
-=Art=-
Have you had a look in the Shellbags?
If its a Windows 7 machine , the usrclass.dat file can contain information about folders which have been accessed, which could be useful.
Even if it is XP, the ntuser.dat shellbags may contain the stuff you need.
have you put together a timeline of the activity on the system around the time the usb was inserted?
if you see usage after it was inserted then it would be hard to say that it was removed immediately
other than that im not sure. i wonder if windows logs when the safely remove feature it used. might be worth testing and see if you find anything note worthy
Have you had a look in the Shellbags?
If its a Windows 7 machine , the usrclass.dat file can contain information about folders which have been accessed, which could be useful.
How so?
Unless data on the usb device is viewed or opened we would not see any mention of those files on the suspect machine (assuming that data has never been viewed on that machine before) - is that correct?
Reason through it…user connects a USB device to an XP system, opens Explorer and then drags files to it, without opening the files once they've been copied. Or, let's just say that the user right-clicks, and chooses "Send To…"…and again, does not open the files once they've been copied over to the device.
Given this, what artifacts would you *expect* to see, and where would you find said artifacts?
If a user were to view thumbdrive in Explorer, R+Click the files and copy and paste them to a server drive, there would be no evidence of that being done. Are my assumptions correct?
Again, same thought process…reason through it, and tell me/us what you would expect to see…
Have you had a look in the Shellbags?
If its a Windows 7 machine , the usrclass.dat file can contain information about folders which have been accessed, which could be useful.
How so?
http//
See section under "folderdata".
Did have a better link but can't find it now (
http//
www.williballenthin.com/forensics/shellbags/index.html See section under "folderdata".
Thanks, but that's really not what I was referring to. I'm very familiar with shellbags, as well as the tools that are commonly used to enumerate these artifacts. In fact, several of the commonly endorsed tools miss some (IMHO) important pieces of data.
It's also important to understand how shellbags are created on various versions of Windows. As such, what I was asking is, how would you recommend to the OP to use these artifacts in pursuit of their stated goals?
Thanks
How would you recommend to the OP to use these artifacts in pursuit of their stated goals?
How's that for weird timing?
I just finished watching the webinar on this forum that Jacky Fox did on USB registry artifacts, right hand side of the screen if you want to watch it.
She does mention or allude to the possibility that there may be some artifacts to show the removal of a USB device, and she talks about a way to link USB via serial number to .lnk files.
May be worth an email to get a copy of her dissertation or whitepapers she may have done.
May be worth an email to get a copy of her dissertation or whitepapers she may have done.
That's not at all necessary…the dissertation and code were linked at the school site when I first watched her interview…