Forums
Main Category
General (Technical,...
How to Determine US...
 
Notifications
Clear all

How to Determine USB Key User

 
General (Technical, Procedural, Software, Hardware etc.)
Last Post by jrwhite6 12 years ago
3 Posts
2 Users
0 Reactions
424 Views
RSS
 jrwhite6
(@jrwhite6)
Active Member
Joined: 13 years ago
Posts: 6
Topic starter 08/05/2013 9:14 pm  

Greetings,

I have more "New Computer Examiner" questions and so far this has been the place to get answers. Please bear with me.

I am conducting my first exam of a USB Thumbdrive and have downloaded and made use of Mr. Lee's awesome guide (https://blogs.sans.org/computer-forensics/files/2009/09/USBKEY-Guide.pdf) and have been mostly successful figuring this all out on my own. HOWEVER… I can't figure out who the "user" is associated with the Device GUID in the MountPoints2. I have the registry information, and located the Device GUID, but have no idea what/where the "user" information is.

Can someone point me in the right direction?

Thanks!
Jeff


   
Quote
keydet89
 keydet89
(@keydet89)
Famed Member
Joined: 21 years ago
Posts: 3568
08/05/2013 11:41 pm  

Jeff,

I am conducting my first exam of a USB Thumbdrive and have downloaded and made use of Mr. Lee's awesome guide (https://blogs.sans.org/computer-forensics/files/2009/09/USBKEY-Guide.pdf) and have been mostly successful figuring this all out on my own. HOWEVER… I can't figure out who the "user" is associated with the Device GUID in the MountPoints2. I have the registry information, and located the Device GUID, but have no idea what/where the "user" information is.

You already have it. The user is whichever profile you extracted the NTUSER.DAT (where the MountPoints2 key is located) from.


   
ReplyQuote
 jrwhite6
(@jrwhite6)
Active Member
Joined: 13 years ago
Posts: 6
Topic starter 09/05/2013 12:39 am  

Thank You Sir.
Now that you mention it… it DOES make sense.
Have a good one!
Jeff


   
ReplyQuote
Forum Jump:
  Previous Topic
Next Topic  
Share: