Determining how long an external USB drive is connected
I need to determine how long an external USB hard drive was connected to a Windows7 OS computer. Any ideas about where to look at it; i.e. registry, event viewer and/or any other logs?
I don't believe you'll be able to get that information. Unless there are some artifacts that we don't know about yet. You can often determine the first time a usb device was connected by looking in the setupapi.log or setupapi.dev.log on Windows 7. This file should contain references to the device being installed the first time.
For subsequent installations and use of the device, you'll need to consult the Registry including the specific user's Registry profile. Check out
for additional details on where to find USB artifacts.
Also, Harlan Carvey's Windows Forensic Analysis 2nd Edition has some great information on this type of investigation.
Again as far as I know, you can't determine how long a device was plugged in. You can determine when it was first plugged in and subsequent times after that, but to my knowledge, no artifact exists that will tell you when the device was removed.
I agree with Dave.hull, I don't know of any way to determine how long it has been plugged in. All you can do is attempt to extrapolate based on other evidence.
Thank you very much; I'll try with this information and post results…
I posted indirectly about this on the SANS Forensic Blog. One of the things that occurred to me when I was reviewing a timeline for a recent case was that the last accessed times of sound files on a system might be a way to determine when a USB device started and stopped interacting with a computer.
ehuber - neat trick!!
mekaniq - not done any W7 systems, on XP Pro I've got as much info about files accessed on external drives as I could (LinkAlyzer, Windows Forensic Analysis, Windows File Analyzer, NetAnalysis, HsTex), got info from Registry about external media (RegRipper, Registry Viewer et al) and then matched files to devices where possible using timeline
You can mebbe get Last Time Connected following Rob Lee's very helpful guide http//blogs.sans.org/computer-forensics/files/2009/09/USB_Drive_Enclosure-Guide.pdf
The simplest test is to try for yourself.
Run a snapshot tool before and after plugging in/disconnecting an external USB device.