Hello
I am new here and also new to all the digital forensics "hobby" or profession to some.
I am investigating if a USB device was present on my computer on a certain date, about 3 months ago. So far I have parsed shellbags info and viewed my activity including files opened with full paths. The whole thing seemed like magic to me lol.
My question is, is there a way to see if a USB device was plugged in the computer at a certain date?
I have observed the event logs and on the date I am interested in, there is an event id 7036 (The Portable Device enumerator service entered the running state)
What I have failed to conclude is, for which device this service has started running. I distinguish my USB mass storage devices by drive letters so is there a way to see which drive letter was in use then?
I am asking this because I have tested with sbag and several other shellbag parsers and one thing they failed to do was register if i have opened the root of the flash drive. If I have copied the folders from the root of that flash drive without opening the folders, would there be a proof of that?
Another thing i found were mountpoints2 and mounted devices registry keys. Would those be of any help to discover if the USB was plugged in at that time?
Once again I know its impossible to know the USB that was plugged in, as i researched that information is not kept in the system, but maybe the drive letter that was used is kept somewhere or perhaps someone can give me another suggestion?
Thank you immensely!
Aleksandar
Start from
http//
Check setupAPI.log.
Try using this
https://
and this
USB History GUI
http//
and/or
http//
http//
jaclaz
Thank you!
But the USB has been reused on the system many times after that. What I am interested in is if that USB was present in the system 3 months ago. To be more exact on the 28th of December 2013.
As I said, the only evidence I have that the USB might have been in the system is the event log entry 7036(The Portable Device enumerator service entered the running state). What I am curious about is, which USB device was that event referring to..
So far I have this information and the times it happened on Dec 28th.
061633 Event ID 7036(The Portable Device enumerator service entered the running state)
061756 Viewed the folder on an external USB hard drive. (collected info with sbag)
I have reason to believe I have copied something from the USB to the USB hard drive. So in between these intervals is there a way to find out which USB has been used?
And the reason i believe that the 7036 event is because of a USB flash drive is because the hard drive is always connected to the system.
Yes.
In the sense that event 7036 (The Portable Device enumerator service entered the running state) is triggered by the insertion of a USB removable device, see also
http//
though often there is also a corresponding (still 7036) "The Portable Device Enumerator Service service entered the stopped state."
But both should be connected to a Group Policy.
In any case I don't think ( that there is any direct way to find out what you are looking for, the 7036 only tells you that "a" removable device has been connected, not "which one" (and it is likely that it is not even "restricted" to USB devices ? ).
Maybe making a "supertimeline" with log2timeline or the newish plaso thingy
http//log2timeline.net/
http//plaso.kiddaland.net/
may give some further hints.
jaclaz