Notifications
Clear all

"Last time Connected" USB

13 Posts
6 Users
0 Likes
465 Views
 isth
(@isth)
Posts: 65
Trusted Member
Topic starter
 

Howdy,

Quick question regarding the SANS article here & corresponding Examination Guides http//computer-forensics.sans.org/blog/2009/09/09/usb-key-analysis-vs-usb-drive-enclosure-analysis/

Does the "Last Time Device Connected" mean the last time the device was inserted or the last time it was removed? Is the key updated upon insertion and again upon removal or only one?

Thanks in advance!

 
Posted : 08/09/2011 10:35 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

Does the "Last Time Device Connected" mean the last time the device was inserted or the last time it was removed? Is the key updated upon insertion and again upon removal or only one?

One would think that "connected" would refer to when the device was connected to the system, not when removed.

However, this is relatively easy to test. Connect a device to your system, wait about 1/2 hr, remove it, then extract and parse the relevant hives.

 
Posted : 08/09/2011 11:45 pm
 isth
(@isth)
Posts: 65
Trusted Member
Topic starter
 

I was hoping someone knew the answer but I just ran this test and that is indeed the case - it's when it was last inserted.

Thanks!

 
Posted : 09/09/2011 1:43 am
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

I was hoping someone knew the answer…

Someone did, hence the name "last time connected". Had it been otherwise, they would have called it "last time removed".

 
Posted : 09/09/2011 5:11 am
 isth
(@isth)
Posts: 65
Trusted Member
Topic starter
 

Err… I was asking for confirmation because the verbiage could really go either way. Technically it's still connected until it's removed which is why I asked.

In any event, I thank you for the constructive input. I appreciate that there was no sarcasm or attempted belittlement just pure helpful info!

 
Posted : 09/09/2011 6:25 am
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

I'm not trying to be sarcastic, nor to belittle anyone. Back in 2005 when Cory and I published our research on this exact topic, we were pretty careful about how we worded things. We did so, in order to avoid ambiguity. This same attention to terminology was carried on by Rob Lee when he made his findings (based on additional testing) available through his SANS courses. In fact, he got even more specific, as there are some Registry keys whose LastWrite time indicates that last time the device was connected during the most recent boot session (i.e., time that the system was actually running).

You said, "Technically it's still connected until it's removed…", which is exactly the point.

To be honest, I'm still absolutely at a loss to understand how "Last Time Device Connected" could be misconstrued, but I'm glad it's been cleared up and addressed for you.

 
Posted : 09/09/2011 5:10 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

One other thing that I wanted to add…in addition to writing books, I also give seminars and teach courses. As such, this has been a very interesting thread, in that it has allowed me a different view into how some things are interpreted by the receiver.

Thank you.

 
Posted : 09/09/2011 5:12 pm
(@rich2005)
Posts: 535
Honorable Member
 

Heh if nothing else it's an interesting language debate, with connected being both the act of joining the device with the system and also the description of the state of the device whilst joined with the system 😉

 
Posted : 09/09/2011 5:58 pm
(@douglasbrush)
Posts: 812
Prominent Member
 

I think it is good that we as practitioners internalize these conversations for clarity because I can't tell you how many times clients, particularity attorneys, will say things such as "Could this also mean….", "But 'what if'…" and it is important to be precise in our explanations.

 
Posted : 09/09/2011 6:35 pm
harryparsonage
(@harryparsonage)
Posts: 184
Estimable Member
 

The OP is absolutely right, the phrase "last time connected" is ambiguous, in English this could mean the last time it was inserted into a computer or the latest time it was in connection with the computer before being unplugged.

H

 
Posted : 09/09/2011 7:16 pm
Page 1 / 2
Share: