Notifications
Clear all

last access of USB  

  RSS
rohitdharan
(@rohitdharan)
New Member

Hello everyone.
IF I have pendrive, now i wan to find when my Pen drive was last accessed or when my pen drive was opened?

Quote
Posted : 12/01/2020 4:23 pm
Bunnysniper
(@bunnysniper)
Active Member

Hello everyone.
IF I have pendrive, now i wan to find when my Pen drive was last accessed or when my pen drive was opened?

Access last time stamps on files on the drive itself and/or MFT if u have it in NTFS
Opened Check shellbags and LNK files
Inserted setupapi.log and various registry keys. Some of them are referenced here
https://docs.microsoft.com/en-us/windows-hardware/drivers/usbcon/usb-device-specific-registry-settings

I think Inserted is what you are after, or?

regards, Robin

ReplyQuote
Posted : 13/01/2020 11:41 am
UnallocatedClusters
(@unallocatedclusters)
Senior Member

First make a physical image (E01) of the USB drive using a hardware or software writeblocker.

Then open the resulting forensic image using your forensic tool of choice.

Look for $S files which are temporary system files created when a Microsoft Office type file is opened on a USB drive.

One can conclude that a person accessed file(s) on the USB drive based upon the creation dates of the $S system files.

ReplyQuote
Posted : 13/01/2020 4:50 pm
UnallocatedClusters
(@unallocatedclusters)
Senior Member

First make a physical image (E01) of the USB drive using a hardware or software writeblocker.

Then open the resulting forensic image using your forensic tool of choice.

Look for $S files which are temporary system files created when a Microsoft Office type file is opened on a USB drive.

One can conclude that a person accessed file(s) on the USB drive based upon the creation dates of the $S system files.

ReplyQuote
Posted : 13/01/2020 4:53 pm
DonniLiem
(@donniliem)
New Member

Hi...it depends on what you want to know about the access. I tried the below method.

 

  • If the file was copied to a USB drive AND the file was opened from that location there would be a link (.lnk) file to that removable media. You can see the list of files from the name of the LNK file, but inside the LNK file you can find the file location. Using the OSForensics File Name Search function you can quickly find all the LNK files, then open them with the internal viewer to decode the content (which gives the drive letter and folder name of the file being opened).

 

ReplyQuote
Posted : 04/06/2020 5:29 pm
Share: