Notifications
Clear all

last access of USB

6 Posts
5 Users
0 Likes
6,000 Views
(@rohitdharan)
Posts: 17
Active Member
Topic starter
 

Hello everyone.
IF I have pendrive, now i wan to find when my Pen drive was last accessed or when my pen drive was opened?

 
Posted : 12/01/2020 4:23 pm
Bunnysniper
(@bunnysniper)
Posts: 257
Reputable Member
 

Hello everyone.
IF I have pendrive, now i wan to find when my Pen drive was last accessed or when my pen drive was opened?

Access last time stamps on files on the drive itself and/or MFT if u have it in NTFS
Opened Check shellbags and LNK files
Inserted setupapi.log and various registry keys. Some of them are referenced here
https://docs.microsoft.com/en-us/windows-hardware/drivers/usbcon/usb-device-specific-registry-settings

I think Inserted is what you are after, or?

regards, Robin

 
Posted : 13/01/2020 11:41 am
UnallocatedClusters
(@unallocatedclusters)
Posts: 577
Honorable Member
 

First make a physical image (E01) of the USB drive using a hardware or software writeblocker.

Then open the resulting forensic image using your forensic tool of choice.

Look for $S files which are temporary system files created when a Microsoft Office type file is opened on a USB drive.

One can conclude that a person accessed file(s) on the USB drive based upon the creation dates of the $S system files.

 
Posted : 13/01/2020 4:50 pm
UnallocatedClusters
(@unallocatedclusters)
Posts: 577
Honorable Member
 

First make a physical image (E01) of the USB drive using a hardware or software writeblocker.

Then open the resulting forensic image using your forensic tool of choice.

Look for $S files which are temporary system files created when a Microsoft Office type file is opened on a USB drive.

One can conclude that a person accessed file(s) on the USB drive based upon the creation dates of the $S system files.

 
Posted : 13/01/2020 4:53 pm
(@donniliem)
Posts: 1
New Member
 

Hi...it depends on what you want to know about the access. I tried the below method.

 

  • If the file was copied to a USB drive AND the file was opened from that location there would be a link (.lnk) file to that removable media. You can see the list of files from the name of the LNK file, but inside the LNK file you can find the file location. Using the OSForensics File Name Search function you can quickly find all the LNK files, then open them with the internal viewer to decode the content (which gives the drive letter and folder name of the file being opened).

 

 
Posted : 04/06/2020 4:29 pm
(@filatik)
Posts: 4
New Member
 
Posted by: @donniliem

Hi...it depends on what you want to know about the access. I tried the below method.

 

  • If the file was copied to a USB drive AND the file was opened from that location there would be a link (.lnk) file to that removable media. You can see the list of files from the name of the LNK file, but inside the LNK file you can find the file location. Using the OSForensics File Name Search function you can quickly find all the LNK files, then open them with the internal viewer to decode the content (which gives the drive letter and folder name of the file being opened).

 

How long does this procedure take?

 
Posted : 25/11/2020 12:21 pm
Share: