±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 36595
New Yesterday: 4 Visitors: 107

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

last access of USB

Discussion of forensic workstations, write blockers, bridges, adapters, disk duplicators, storage etc. Strictly no advertising of commercial products, please.
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
 
  

rohitdharan
Member
 

last access of USB

Post Posted: Jan 12, 20 16:23

Hello everyone.
IF I have pendrive, now i wan to find when my Pen drive was last accessed or when my pen drive was opened?  
 
  

Bunnysniper
Senior Member
 

Re: last access of USB

Post Posted: Jan 13, 20 11:41

- rohitdharan
Hello everyone.
IF I have pendrive, now i wan to find when my Pen drive was last accessed or when my pen drive was opened?

Access: last time stamps on files on the drive itself and/or MFT if u have it in NTFS
Opened: Check shellbags and LNK files
Inserted: setupapi.log and various registry keys. Some of them are referenced here
docs.microsoft.com/en-...y-settings

I think Inserted is what you are after, or?

regards, Robin
_________________
--
All opinions are mine and are not necessarily the opinions of my employer. 
 
  

UnallocatedClusters
Senior Member
 

Re: last access of USB

Post Posted: Jan 13, 20 16:50

First make a physical image (E01) of the USB drive using a hardware or software writeblocker.

Then open the resulting forensic image using your forensic tool of choice.

Look for $S files which are temporary system files created when a Microsoft Office type file is opened on a USB drive.

One can conclude that a person accessed file(s) on the USB drive based upon the creation dates of the $S system files.  
 
  

UnallocatedClusters
Senior Member
 

Re: last access of USB

Post Posted: Jan 13, 20 16:53

First make a physical image (E01) of the USB drive using a hardware or software writeblocker.

Then open the resulting forensic image using your forensic tool of choice.

Look for $S files which are temporary system files created when a Microsoft Office type file is opened on a USB drive.

One can conclude that a person accessed file(s) on the USB drive based upon the creation dates of the $S system files.  
 

Page 1 of 1