Interesting thread so far…particularly because this has been discussed in detail on this board
http//www.forensicfocus.com/index.php?name=Forums&file=viewtopic&t=194&view=next
http//www.forensicfocus.com/index.php?name=Forums&file=viewtopic&t=1375
http//
Locate the devices under System\CurrentControlSet\Enum\USBStor. The first time you plug the device into the system, a key will be created and an entry made in the setupapi.log file. From there, look under the following key
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceClasses\{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
The subkeys refer back to the devices, and the LastWrite times for the keys are when the devices were last connected to the system.
Beyond the first and last times the devices were connected, Windows doesn't log any other information by default. The MountedDevices key may tell you the drive letter that the device was mapped to…
There's a bit more info, but that's all been documented in this board before. Rather than retyping it all here, I decided to write a book… 😉
H
How much and were can you get it from, the book that is oops D
It will be out this spring from Syngress, probably around the $30USD range or so…