same usb at the sam...
 
Notifications
Clear all

same usb at the same time !!

17 Posts
7 Users
0 Likes
2,775 Views
(@qassam22222)
Posts: 155
Estimable Member
Topic starter
 

hello all ….
im working on case … when i attached the image to autopsy i got this result for attached usb's … kindly i need an explanation for that !!!

 
Posted : 23/05/2018 9:22 am
(@chad131)
Posts: 63
Trusted Member
 

hello all ….
im working on case … when i attached the image to autopsy i got this result for attached usb's … kindly i need an explanation for that !!!

This happens a lot. Check the System event logs for a system update around the same date/time. Some of these will just globally stomp USBSTOR registry dates.

This doesn't mean you are totally out of luck, check the other registry dates/times as well as searching the event logs for the USB serials.

 
Posted : 23/05/2018 12:50 pm
(@shakes6791)
Posts: 4
New Member
 

I would recomend generating a timeline or just parsing out the MFT record. This might give you some insight to what might have ticked these dates/times.

Depending on the OS there are lots of places you might be able to find additional attachment dates. Also, check to see if there are any VSC and hopefully the dates/times arent also stepped on.

Best of luck!

 
Posted : 23/05/2018 2:32 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

This is yet another case of "know your tools"…where is that data being pulled from? If it's from the USBStor Registry keys in the System hive, that time stamp does NOT show when the USB devices were last connected.

Depending upon the version of Windows you're looking at, if you're interested in when the devices were last connected to the system, you might want to look in other locations in the Registry, or in the Windows Event Log.

HTH

 
Posted : 23/05/2018 5:31 pm
UnallocatedClusters
(@unallocatedclusters)
Posts: 577
Honorable Member
 

qassam22222,

I would run multiple tools against the evidence and then compare the results

Passmark's OSForensics (free 30 day trial)

Magnet Forensics' IEF (not sure if there is a free trial but I believe they would provide you with one)

Free to use USB tools

http//www.woanware.co.uk/forensics/usbdeviceforensics.html

http//www.4discovery.com/our-tools/

http//www.nirsoft.net/utils/usb_devices_view.html

 
Posted : 23/05/2018 5:51 pm
ntexaminer
(@ntexaminer)
Posts: 49
Eminent Member
 

This is a common occurrence, particularly when the last write time of a registry subkey is the only data source used to identify an event (such as when a device was last connected). The key is to use multiple sources of data to corroborate, such as several locations within the registry hives, event log records, etc. Using multiple locations to corroborate your findings will help to increase your overall confidence in the reliability of your results as well as to identify locations that should not be relied upon in your examination.

In addition to the tools mentioned, I suggest you take a look at USB Detective - https://usbdetective.com , which was developed to help address issues like the one you're seeing. It leverages multiple sources of data for the reported timestamps and visually distinguishes timestamps that are consistent across multiple data sources from those that have inconsistencies.

 
Posted : 23/05/2018 7:32 pm
(@qassam22222)
Posts: 155
Estimable Member
Topic starter
 

This is a common occurrence, particularly when the last write time of a registry subkey is the only data source used to identify an event (such as when a device was last connected). The key is to use multiple sources of data to corroborate, such as several locations within the registry hives, event log records, etc. Using multiple locations to corroborate your findings will help to increase your overall confidence in the reliability of your results as well as to identify locations that should not be relied upon in your examination.

In addition to the tools mentioned, I suggest you take a look at USB Detective - https://usbdetective.com , which was developed to help address issues like the one you're seeing. It leverages multiple sources of data for the reported timestamps and visually distinguishes timestamps that are consistent across multiple data sources from those that have inconsistencies.

i convert the image to virtualbox then i installed USB Detective but i think i stil have te same issue i cant understand what's happen here ( take a look

 
Posted : 03/06/2018 10:13 am
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

… then i installed USB Detective but i think i stil have te same issue i cant understand what's happen here ( take a look .

Yes, the issue remains, that timestamp has been (clearly) altered by *something". the point of above suggestions was to use SEVERAL different tools (not "just another one", or "the last one" suggested) and COMPARE results of ALL the tools suggested (+ possibly a few more, even "minor" ones may shed a light).
Like
https://sourceforge.net/projects/smallusbhistory/
http//www.softpedia.com/get/Windows-Widgets/System-Utilities/USB-History-GUI.shtml

Here you can find yet another tool, and a very clear explanation, listing some of the "less commonly checked" timestamp sources
https://tzworks.net/prototype_page.php?proto_id=13

By comparing the results of various tools and, as already suggested, making a full timeline you may (or may not, or only partially) answer these three questions
1) When did the actual device been actually connected last time?
2) What (event/tool/command) actually did the "common" timestamping?
3) When did the "common" timestamping occur?

As an example (and as an example only) the USB Historian
http//www.4discovery.com/our-tools/
checks also the MountPoint2 date (which may or may not help).

jaclaz

 
Posted : 03/06/2018 11:20 am
ntexaminer
(@ntexaminer)
Posts: 49
Eminent Member
 

Thanks for posting your screenshot to illustrate. For the timestamps that are the same, what is the source? You can find this by hovering over the value or double-clicking the cell for the verbose output.

USB Detective evaluates numerous locations for each data point displayed in the results grid. For example, it queries the Enum\USB hierarchy, MountPoints2, USBSTOR Properties, WPDBUSENUM Properties, multiple event logs (if provided), and more in an attempt to find the last connected time of a device. It will then color the timestamp's cell in the results grid based on the consistency or lack thereof across the queried data points and allow you to see the source from which each identified value was located. Your screenshot indicates that, for the last connected cells with no highlighting, only one data source was available. Since many/most of the timestamps are the same, it also tells you that it's probably an unreliable data source.

If the OS is Windows 7 or later, event logs may be very helpful to fill in the gaps here, as Harlan mentioned earlier.

 
Posted : 03/06/2018 7:13 pm
(@qassam22222)
Posts: 155
Estimable Member
Topic starter
 

hey all …. maybe im getting close to solve this issue maybe not this is final result's for my case ….

At first What I care about is about that date 20/03/2018 !! why that date ! because the guy who uses this computer he was in jail at that time !! and other examiners have begun to blame others .

so i start from autopsy report that shows …

when i read about RegBack dir i fount this …

ollowing on from timestamps and how I said they shouldn’t be trusted, I am now going to talk about…. timestamps! The RegBack folder holds a backup copy of the Registry Hives and is located %system32%\config\regback

source https://hatsoffsecurity.com/2014/05/29/regback-folder-update-times/

when i look inside the image via FTK i discover that RegBack file is created at the same date

then i decided to look inside event log because the guy in the above link i mentioned said changes in the timestamps related to windows updates or maintenance !!


but the update is failed !! here i started to feel confused !!

then i start to look about " connected USB's event's " in

Connection Event IDs

When a USB removable storage device is connected to a Windows 7 system, a number of event records should be generated in the Microsoft-Windows-DriverFrameworks-UserMode/Operational event log. The records include those with Event ID 2003, 2004, 2005, 2010, 2100, 2105, and more

source https://df-stream.com/2014/01/the-windows-7-event-log-and-usb-device/

last date that show that user insert a USB is 2/7/2018 nothing found in ( 20/03/2018 )

then i start to use another tools to check plug's USB's

so smallusbhistory and USB-History-GUI said nothing plug in to the computer at that date and also event logs …. should i trust them and is this sufficient evidence to face the judge in court to prove that there is no any UBS attached on that computer at that time ??

and is there any steps does not right for what i mentioned above if there please correct me

 
Posted : 04/06/2018 10:17 am
Page 1 / 2
Share: