USB Removal Date/Ti...
 
Notifications
Clear all

USB Removal Date/Time

13 Posts
6 Users
0 Likes
1,313 Views
4n6art
(@4n6art)
Posts: 208
Reputable Member
Topic starter
 

Hi All

Happy New Year D (dang - time flies it's almost Jan end)

Is there a way to tell when a USB device (in this case a thumbdrive) was *removed* from a laptop? We have the date it was first inserted. User claims they inserted and removed it immediately. Is there a way to tell when it was removed OR how long it was plugged in for?

Also, just want to double check….
Unless data on the usb device is viewed or opened we would not see any mention of those files on the suspect machine (assuming that data has never been viewed on that machine before) - is that correct? If a user were to view thumbdrive in Explorer, R+Click the files and copy and paste them to a server drive, there would be no evidence of that being done. Are my assumptions correct?

I believe the OS is WinXP.

Thanks for any help.
-=Art=-

 
Posted : 25/01/2013 10:02 am
minime2k9
(@minime2k9)
Posts: 481
Honorable Member
 

Have you had a look in the Shellbags?

If its a Windows 7 machine , the usrclass.dat file can contain information about folders which have been accessed, which could be useful.
Even if it is XP, the ntuser.dat shellbags may contain the stuff you need.

 
Posted : 25/01/2013 1:12 pm
(@randomaccess)
Posts: 385
Reputable Member
 

have you put together a timeline of the activity on the system around the time the usb was inserted?
if you see usage after it was inserted then it would be hard to say that it was removed immediately

other than that im not sure. i wonder if windows logs when the safely remove feature it used. might be worth testing and see if you find anything note worthy

 
Posted : 25/01/2013 3:10 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

Have you had a look in the Shellbags?

If its a Windows 7 machine , the usrclass.dat file can contain information about folders which have been accessed, which could be useful.

How so?

 
Posted : 25/01/2013 6:00 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

Unless data on the usb device is viewed or opened we would not see any mention of those files on the suspect machine (assuming that data has never been viewed on that machine before) - is that correct?

Reason through it…user connects a USB device to an XP system, opens Explorer and then drags files to it, without opening the files once they've been copied. Or, let's just say that the user right-clicks, and chooses "Send To…"…and again, does not open the files once they've been copied over to the device.

Given this, what artifacts would you *expect* to see, and where would you find said artifacts?

If a user were to view thumbdrive in Explorer, R+Click the files and copy and paste them to a server drive, there would be no evidence of that being done. Are my assumptions correct?

Again, same thought process…reason through it, and tell me/us what you would expect to see…

 
Posted : 25/01/2013 6:06 pm
minime2k9
(@minime2k9)
Posts: 481
Honorable Member
 

Have you had a look in the Shellbags?

If its a Windows 7 machine , the usrclass.dat file can contain information about folders which have been accessed, which could be useful.

How so?

http//www.williballenthin.com/forensics/shellbags/index.html

See section under "folderdata".

Did have a better link but can't find it now (

 
Posted : 25/01/2013 6:43 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

http//www.williballenthin.com/forensics/shellbags/index.html

See section under "folderdata".

Thanks, but that's really not what I was referring to. I'm very familiar with shellbags, as well as the tools that are commonly used to enumerate these artifacts. In fact, several of the commonly endorsed tools miss some (IMHO) important pieces of data.

It's also important to understand how shellbags are created on various versions of Windows. As such, what I was asking is, how would you recommend to the OP to use these artifacts in pursuit of their stated goals?

Thanks

 
Posted : 25/01/2013 10:10 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

How would you recommend to the OP to use these artifacts in pursuit of their stated goals?

 
Posted : 29/01/2013 10:02 pm
Adam10541
(@adam10541)
Posts: 550
Honorable Member
 

How's that for weird timing?

I just finished watching the webinar on this forum that Jacky Fox did on USB registry artifacts, right hand side of the screen if you want to watch it.

She does mention or allude to the possibility that there may be some artifacts to show the removal of a USB device, and she talks about a way to link USB via serial number to .lnk files.

May be worth an email to get a copy of her dissertation or whitepapers she may have done.

 
Posted : 30/01/2013 11:30 am
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

May be worth an email to get a copy of her dissertation or whitepapers she may have done.

That's not at all necessary…the dissertation and code were linked at the school site when I first watched her interview…

 
Posted : 30/01/2013 6:19 pm
Page 1 / 2
Share: