±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 34298
New Yesterday: 0 Visitors: 253

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

RSS Feed Widget

±Latest Webinars

same usb at the same time !!

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Go to page 1, 2, 3  Next 
  

same usb at the same time !!

Post Posted: Wed May 23, 2018 3:22 am

hello all ....
im working on case ... when i attached the image to autopsy i got this result for attached usb's ... kindly i need an explanation for that !!!
 

qassam22222
Senior Member
 
 
  

Re: same usb at the same time !!

Post Posted: Wed May 23, 2018 6:50 am

- qassam22222
hello all ....
im working on case ... when i attached the image to autopsy i got this result for attached usb's ... kindly i need an explanation for that !!!


This happens a lot. Check the System event logs for a system update around the same date/time. Some of these will just globally stomp USBSTOR registry dates.

This doesn't mean you are totally out of luck, check the other registry dates/times as well as searching the event logs for the USB serials.  

chad131
Senior Member
 
 
  

Re: same usb at the same time !!

Post Posted: Wed May 23, 2018 8:32 am

I would recomend generating a timeline or just parsing out the MFT record. This might give you some insight to what might have ticked these dates/times.

Depending on the OS there are lots of places you might be able to find additional attachment dates. Also, check to see if there are any VSC and hopefully the dates/times arent also stepped on.

Best of luck!  

shakes6791
Newbie
 
 
  

Re: same usb at the same time !!

Post Posted: Wed May 23, 2018 11:31 am

This is yet another case of "know your tools"...where is that data being pulled from? If it's from the USBStor Registry keys in the System hive, that time stamp does NOT show when the USB devices were last connected.

Depending upon the version of Windows you're looking at, if you're interested in when the devices were last connected to the system, you might want to look in other locations in the Registry, or in the Windows Event Log.

HTH  

keydet89
Senior Member
 
 
  

Re: same usb at the same time !!

Post Posted: Wed May 23, 2018 11:51 am

qassam22222,

I would run multiple tools against the evidence and then compare the results:

Passmark's OSForensics (free 30 day trial)

Magnet Forensics' IEF (not sure if there is a free trial but I believe they would provide you with one)

Free to use USB tools:

www.woanware.co.uk/for...nsics.html

www.4discovery.com/our-tools/

www.nirsoft.net/utils/..._view.html  

UnallocatedClusters
Senior Member
 
 
  

Re: same usb at the same time !!

Post Posted: Wed May 23, 2018 1:32 pm

This is a common occurrence, particularly when the last write time of a registry subkey is the only data source used to identify an event (such as when a device was last connected). The key is to use multiple sources of data to corroborate, such as several locations within the registry hives, event log records, etc. Using multiple locations to corroborate your findings will help to increase your overall confidence in the reliability of your results as well as to identify locations that should not be relied upon in your examination.

In addition to the tools mentioned, I suggest you take a look at USB Detective - https://usbdetective.com, which was developed to help address issues like the one you're seeing. It leverages multiple sources of data for the reported timestamps and visually distinguishes timestamps that are consistent across multiple data sources from those that have inconsistencies.
_________________
df-stream.com | usbdetective.com 

ntexaminer
Member
 
 
  

Re: same usb at the same time !!

Post Posted: Sun Jun 03, 2018 4:13 am

- ntexaminer
This is a common occurrence, particularly when the last write time of a registry subkey is the only data source used to identify an event (such as when a device was last connected). The key is to use multiple sources of data to corroborate, such as several locations within the registry hives, event log records, etc. Using multiple locations to corroborate your findings will help to increase your overall confidence in the reliability of your results as well as to identify locations that should not be relied upon in your examination.

In addition to the tools mentioned, I suggest you take a look at USB Detective - https://usbdetective.com, which was developed to help address issues like the one you're seeing. It leverages multiple sources of data for the reported timestamps and visually distinguishes timestamps that are consistent across multiple data sources from those that have inconsistencies.

i convert the image to virtualbox then i installed USB Detective but i think i stil have te same issue i cant understand what's happen here Sad take a look
 

qassam22222
Senior Member
 
 

Page 1 of 3
Go to page 1, 2, 3  Next