Join Us!

Notifications
Clear all

USB Historian  

  RSS
BWC_15222
(@bwc_15222)
New Member

Has anyone used USB Historian v1.3 by 4Discovery?

I downloaded the tool from https://4discovery.com/usb-historian/ and am attempting to run it on a Win 10 Pro OS. When I attempt to access the SOFTWARE and SYSTEM hives from the current drive, I get an access error. I've tried to run it from an external USB drive as well as saving the software to the local machine. I have also attempted to copy the hives and run them from a separate file folder.

I have never used a tool like this before and am not sure if it wont work on Win 10 or if its the way I am attempting to access the targeted files for analysis.

Any help is greatly appreciated.

Quote
Posted : 30/03/2020 9:24 pm
athulin
(@athulin)
Community Legend

I downloaded the tool from https://4discovery.com/usb-historian/ and am attempting to run it on a Win 10 Pro OS. When I attempt to access the SOFTWARE and SYSTEM hives from the current drive, I get an access error.

'Provide as much information as possible' is one of the recommendations for starting new topics. The exact error messages you get are one of those things.

In this case, you don't say anything about access rights. Do you get an access error also when you try to navigate to the relevant directory (/Windows/system/system32?) I do … which to me is a reasonable hint that there is access protection in place.

If your account have Administrator rights or similar privileges the tool may try to elevate privileges … you typically get a prompt asking you if that's OK. Did it? Or is the account you're using a standard user without any rights at all? Or perhaps the tool can't do that … but relies on you to do that for yourself?

Or … have you already checked for all those possibilities without success, ensured that you have all required access, and the program still fails?

(General troubleshooting ability is a skill most computer forensic people need to acquire, but it's usually taught as an IT skill, not a forensic skill, so you rarely see it in forensic courses. If you need to brush it up, consider getting some Windows admin and management skills – that's where access rights and privileges most often are discussed.)

I have never used a tool like this before and am not sure if it wont work on Win 10 or if its the way I am attempting to access the targeted files for analysis.

I'm not going to install/run the software without precautions … and I don't see any obvious 'README' that might explain things, such
as if the program is expected to run on in-place files or if it need them to be extracted first. If you did not find any information included, I suggest you mark this software with at least one 'failed preliminary acceptance test' note. By all means, pass your notes on to the manufacturer – if they are serious, they will be interested. But don't rely on it … look for other alternatives also.

I think I used something by NIRsoft (USBdeview?) when I had to do this with standalone tools … a quick comparison between the Nirsoft USBDeview page and the 4disovery page is instructive Nirsoft makes it clear that their tool works for both 32 AND 64 bit systems up to Windows 10, and you find a lot of additional instructive material there as well. Which to me suggests that 'passed preliminary acceptance test' may be appropriate.

ReplyQuote
Posted : 31/03/2020 7:28 am
jaclaz
(@jaclaz)
Community Legend

I have also attempted to copy the hives and run them from a separate file folder.

Quick test
1) copy the files to a folder on a FAT32 volume
2) try again running the tool selecting those copies

jaclaz

ReplyQuote
Posted : 31/03/2020 9:13 am
Bunnysniper
(@bunnysniper)
Active Member

copy the files to a folder on a FAT32 volume

Pro Tip if the day nothing beats a memory drive in FAT32. I have a memory drive on all of my devices as "tmp" folder to get rid of unnecessary data with the next reboot. Moving NTFS files to the memory drive and back removes all ACL, too.

regards, Robin

ReplyQuote
Posted : 31/03/2020 2:11 pm
BWC_15222
(@bwc_15222)
New Member

Thanks for the feedback everyone. I received a message from the developer that they haven't fully tested the tool on Win 10.

ReplyQuote
Posted : 02/04/2020 3:07 pm
minime2k9
(@minime2k9)
Active Member

Unsurprising as the last release date is showing as 2013….

ReplyQuote
Posted : 02/04/2020 9:30 pm
Share: