USB activity monito...
 
Notifications
Clear all

USB activity monitoring

6 Posts
6 Users
0 Likes
792 Views
Agent47
(@agent47)
Posts: 32
Eminent Member
Topic starter
 

Is there any method or tool witch allowed to monitor activity on USB? With activity I mean if you can by any chance see if was file (pdf, jpeg, doc, etc, …) on USB copy or open.

 
Posted : 27/09/2017 7:59 am
Bunnysniper
(@bunnysniper)
Posts: 257
Reputable Member
 

Is there any method or tool witch allowed to monitor activity on USB? With activity I mean if you can by any chance see if was file (pdf, jpeg, doc, etc, …) on USB copy or open.

ShellBags! MFT! LNK! Memory Dumps! Hyberfil! Pagefile! So many options here….!

 
Posted : 27/09/2017 8:42 am
Mreza
(@mreza)
Posts: 84
Trusted Member
 

Is there any method or tool witch allowed to monitor activity on USB? With activity I mean if you can by any chance see if was file (pdf, jpeg, doc, etc, …) on USB copy or open.

A few examples

http//cyberforensicator.com/2017/09/10/the-hitchhikers-guide-to-usb-forensics/

https://youtu.be/HtQ6AxE_dT0

 
Posted : 27/09/2017 1:07 pm
AmNe5iA
(@amne5ia)
Posts: 173
Estimable Member
 

http//desowin.org/usbpcap/

 
Posted : 28/09/2017 11:01 am
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

Is there any method or tool witch allowed to monitor activity on USB? With activity I mean if you can by any chance see if was file (pdf, jpeg, doc, etc, …) on USB copy or open.

Just to clear your question (that has already been read and thus answered differently) are you asking about
1) "monitor" PAST activity (i.e. interpreting logs and artifacts created by default and standard OS, which is what Bunnysniper and Mreza referenced)
2) "monitor" CURRENT activity (i.e. recording what goes through the USB bus which is what AmNe5iA referenced)

jaclaz

 
Posted : 28/09/2017 12:48 pm
(@cmontiel05)
Posts: 3
New Member
 

Hello Agent47,

Unsure if you've already found your solution but can tell you that W4 by Vound can provide you the information you're requesting.

W4 has a nice feature called "Links". For example, you can see your document and all of the other artifacts linked to it such as usb drives, user accounts, etc.

Thanks

CM

 
Posted : 30/10/2019 4:22 pm
Share: