±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 3 Overall: 36209
New Yesterday: 7 Visitors: 166

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

"Last time Connected" USB

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Page 1, 2  Next 
  

isth
Senior Member
 

"Last time Connected" USB

Post Posted: Sep 08, 11 22:35

Howdy,

Quick question regarding the SANS article here & corresponding Examination Guides: computer-forensics.san...-analysis/

Does the "Last Time Device Connected" mean the last time the device was inserted or the last time it was removed? Is the key updated upon insertion and again upon removal or only one?

Thanks in advance!  
 
  

keydet89
Senior Member
 

Re: "Last time Connected" USB

Post Posted: Sep 08, 11 23:45

- isth

Does the "Last Time Device Connected" mean the last time the device was inserted or the last time it was removed? Is the key updated upon insertion and again upon removal or only one?


One would think that "connected" would refer to when the device was connected to the system, not when removed.

However, this is relatively easy to test. Connect a device to your system, wait about 1/2 hr, remove it, then extract and parse the relevant hives.  
 
  

isth
Senior Member
 

Re: "Last time Connected" USB

Post Posted: Sep 09, 11 01:43

I was hoping someone knew the answer but I just ran this test and that is indeed the case - it's when it was last inserted.

Thanks!  
 
  

keydet89
Senior Member
 

Re: "Last time Connected" USB

Post Posted: Sep 09, 11 05:11

- isth
I was hoping someone knew the answer...


Someone did, hence the name "last time connected". Had it been otherwise, they would have called it "last time removed".  
 
  

isth
Senior Member
 

Re: "Last time Connected" USB

Post Posted: Sep 09, 11 06:25

Err... I was asking for confirmation because the verbiage could really go either way. Technically it's still connected until it's removed which is why I asked.

In any event, I thank you for the constructive input. I appreciate that there was no sarcasm or attempted belittlement just pure helpful info!  
 
  

keydet89
Senior Member
 

Re: "Last time Connected" USB

Post Posted: Sep 09, 11 17:10

I'm not trying to be sarcastic, nor to belittle anyone. Back in 2005 when Cory and I published our research on this exact topic, we were pretty careful about how we worded things. We did so, in order to avoid ambiguity. This same attention to terminology was carried on by Rob Lee when he made his findings (based on additional testing) available through his SANS courses. In fact, he got even more specific, as there are some Registry keys whose LastWrite time indicates that last time the device was connected during the most recent boot session (i.e., time that the system was actually running).

You said, "Technically it's still connected until it's removed...", which is exactly the point.

To be honest, I'm still absolutely at a loss to understand how "Last Time Device Connected" could be misconstrued, but I'm glad it's been cleared up and addressed for you.  
 
  

keydet89
Senior Member
 

Re: "Last time Connected" USB

Post Posted: Sep 09, 11 17:12

One other thing that I wanted to add...in addition to writing books, I also give seminars and teach courses. As such, this has been a very interesting thread, in that it has allowed me a different view into how some things are interpreted by the receiver.

Thank you.  
 

Page 1 of 2
Page 1, 2  Next