Greetings,
I have more "New Computer Examiner" questions and so far this has been the place to get answers. Please bear with me.
I am conducting my first exam of a USB Thumbdrive and have downloaded and made use of Mr. Lee's awesome guide (https://
Can someone point me in the right direction?
Thanks!
Jeff
Jeff,
I am conducting my first exam of a USB Thumbdrive and have downloaded and made use of Mr. Lee's awesome guide (https://
blogs.sans.org/computer-forensics/files/2009/09/USBKEY-Guide.pdf) and have been mostly successful figuring this all out on my own. HOWEVER… I can't figure out who the "user" is associated with the Device GUID in the MountPoints2. I have the registry information, and located the Device GUID, but have no idea what/where the "user" information is.
You already have it. The user is whichever profile you extracted the NTUSER.DAT (where the MountPoints2 key is located) from.
Thank You Sir.
Now that you mention it… it DOES make sense.
Have a good one!
Jeff