Join Us!

Notifications
Clear all

last access of USB  

  RSS
rohitdharan
(@rohitdharan)
New Member

Hello everyone.
IF I have pendrive, now i wan to find when my Pen drive was last accessed or when my pen drive was opened?

Quote
Posted : 12/01/2020 4:23 pm
Bunnysniper
(@bunnysniper)
Active Member

Hello everyone.
IF I have pendrive, now i wan to find when my Pen drive was last accessed or when my pen drive was opened?

Access last time stamps on files on the drive itself and/or MFT if u have it in NTFS
Opened Check shellbags and LNK files
Inserted setupapi.log and various registry keys. Some of them are referenced here
https://docs.microsoft.com/en-us/windows-hardware/drivers/usbcon/usb-device-specific-registry-settings

I think Inserted is what you are after, or?

regards, Robin

ReplyQuote
Posted : 13/01/2020 11:41 am
UnallocatedClusters
(@unallocatedclusters)
Senior Member

First make a physical image (E01) of the USB drive using a hardware or software writeblocker.

Then open the resulting forensic image using your forensic tool of choice.

Look for $S files which are temporary system files created when a Microsoft Office type file is opened on a USB drive.

One can conclude that a person accessed file(s) on the USB drive based upon the creation dates of the $S system files.

ReplyQuote
Posted : 13/01/2020 4:50 pm
UnallocatedClusters
(@unallocatedclusters)
Senior Member

First make a physical image (E01) of the USB drive using a hardware or software writeblocker.

Then open the resulting forensic image using your forensic tool of choice.

Look for $S files which are temporary system files created when a Microsoft Office type file is opened on a USB drive.

One can conclude that a person accessed file(s) on the USB drive based upon the creation dates of the $S system files.

ReplyQuote
Posted : 13/01/2020 4:53 pm
Share: