±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 36312
New Yesterday: 7 Visitors: 187

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

Determining how long an external USB drive is connected

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
 
  

mekaniq
Newbie
 

Determining how long an external USB drive is connected

Post Posted: Sep 27, 10 20:49

I need to determine how long an external USB hard drive was connected to a Windows7 OS computer. Any ideas about where to look at it; i.e. registry, event viewer and/or any other logs?  
 
  

dave.hull
Member
 

Re: Determining how long an external USB drive is connected

Post Posted: Sep 28, 10 23:53

I don't believe you'll be able to get that information. Unless there are some artifacts that we don't know about yet. You can often determine the first time a usb device was connected by looking in the setupapi.log or setupapi.dev.log on Windows 7. This file should contain references to the device being installed the first time.

For subsequent installations and use of the device, you'll need to consult the Registry including the specific user's Registry profile. Check out

blogs.sans.org/compute..._guide.pdf
blogs.sans.org/compute...-Guide.pdf

for additional details on where to find USB artifacts.

Also, Harlan Carvey's Windows Forensic Analysis 2nd Edition has some great information on this type of investigation.

Again as far as I know, you can't determine how long a device was plugged in. You can determine when it was first plugged in and subsequent times after that, but to my knowledge, no artifact exists that will tell you when the device was removed.
_________________
Dave Hull
trustedsignal.blogspot.com/
blogs.sans.org/computer-forensics 
 
  

Bgaines
Member
 

Re: Determining how long an external USB drive is connected

Post Posted: Sep 29, 10 00:11

I agree with Dave.hull, I don't know of any way to determine how long it has been plugged in. All you can do is attempt to extrapolate based on other evidence.  
 
  

mekaniq
Newbie
 

Re: Determining how long an external USB drive is connected

Post Posted: Sep 29, 10 16:04

Thank you very much; I'll try with this information and post results...

Cheers!  
 
  

ehuber
Senior Member
 

Re: Determining how long an external USB drive is connected

Post Posted: Sep 29, 10 19:48

I posted indirectly about this on the SANS Forensic Blog. One of the things that occurred to me when I was reviewing a timeline for a recent case was that the last accessed times of sound files on a system might be a way to determine when a USB device started and stopped interacting with a computer.  
 
  

Cults14
Senior Member
 

Re: Determining how long an external USB drive is connected

Post Posted: Sep 30, 10 16:15

ehuber - neat trick!!

mekaniq - not done any W7 systems, on XP Pro I've got as much info about files accessed on external drives as I could (LinkAlyzer, Windows Forensic Analysis, Windows File Analyzer, NetAnalysis, HsTex), got info from Registry about external media (RegRipper, Registry Viewer et al) and then matched files to devices where possible using timeline

You can mebbe get Last Time Connected following Rob Lee's very helpful guide blogs.sans.org/compute...-Guide.pdf

HTH  
 
  

pbobby
Senior Member
 

Re: Determining how long an external USB drive is connected

Post Posted: Oct 01, 10 07:22

The simplest test is to try for yourself.

Run a snapshot tool before and after plugging in/disconnecting an external USB device.
_________________
Don't get baited. 
 

Page 1 of 1