Dear All,
I'm trying to detect if a user add new hard disk to the desktop machine, but the windows logs not showing anything, is there away to detect such behavior during investigation. most of the logs are for USB and external devices. but what if user open the desktop case and add internal HW?
I am sure I have read about this somewhere, but do not have the reference material to hand. For reviewing registry keys, I tend to use Eric Zimmerman's Registry Explorer as it's free and people from the community collectively add plugins to it.
There is either a GUI or CMD version, GUI suits my needs. Opening registry keys into the GUI displays two panels, either the regular view or keys that have been bookmarked as they hold some significance.
Opening the registry keys from my own PC into Registry Explorer and looking at the bookmark tab shows that 'SYSTEM\ControlSet001\Control\DeviceClasses\' may hold some answers for you. I can't remember off the top of my head whether I added the drives at the associated timestamps, but I'm sure if you do some testing for yourself, you can discern this. If you do do any testing, please update us.
Â
As a side note, Eric Zimmerman has a range of tools that he has released for the DFIR community and they are well worth a look