Hi, i'm currently trying to get information from the hex/binary in the registry key HKLM \SYSTEM\MountedDevices. Apparently there should be information in the binary telling me if the device mounted to a particular drive letter was removable, which is what i need to find out.
However when i view this key in FTK registry viewer and the values for the drive letter i am interested in. I see this
b8 2e 42 9c 00 7e 00 00-00 00 00 00
and the unicode equivalent obviously.
So, can anyone help me on my way to finding the information i need from this?
p.s The MountedDevices last write time will be modified when a device is mounted, but will it be modified again when the device is removed? My guess is yes…
Thankyou in advance for any help.
much of this is covered in my book…
;-(
Okay, to add a bit of clarification here…
First, MountedDevices are addressed on pp. 160 - 164 of my book, with forenz's specific question answered on pg 162, in part by figure 4.15.
Second, I'm not intentionally trying to be an @$$hat when I refer to my book…it's not about getting more people to buy my book so I get royalties. The point is that a great deal of time and effort…all of which was mine, and my reviewer's…went into to writing the book and trying to ensure that as many of these types of questions were addressed. So, in almost a year's efforts, I wrote and tried to address these kinds of things.
So now we have the above question…I could go back and rewrite everything all over again, explaining the information again, duplicating my efforts (ie, doing the same thing I did before…*again*). Or, forenz and others could do their own searches, or go to Amazon to purchase my book, or go to the publisher's site and purchase the ebook and get an almost-immediate download.
On the issue of royalties…yes, I do get royalties, but if anyone thinks that you can live off them…think again. I know folks that have written multiple books, and they continue to have to work their day jobs. The royalties are a nice return on my effort, but they really don't amount to much more than being able to take my wife out to a nice dinner. On top of that, here in the US, book royalties are considered income and taxed as such.
So, the real reason behind my pushing my book is NOT to put money in my pocket. The reals reasons for this are that hopefully someone who does buy the book will write a review…on Amazon, on Slashdot, or on their own site…and provide feedback. The other benefit behind the purchase of the book is that the more books purchased means that the sales numbers go up…this means that the publisher will be more likely to want a second edition, that will cover Vista and Windows 2008. The royalties most often go to things like updating VMWare and Perl2Exe, paying for KntDD (I was a beta tester, and I *still* had to pay for the most basic version of the tool), and even purchasing an entirely new system to use for setup and testing.
So, I know a lot of folks out there are just going to keep thinking that all I'm concerned with is lining my pockets…and that's fine. I can't invest the time to try to change those minds. But anyone who's hung around this site for a while will know that this isn't the case, and will recognize what my real motivation is.
H
Thats fine i understand.
However, i am in a very big rush to find out how to do this and get it done, or i fear my case will almost certainly fall through. What is the site for the publisher where i can download the e version of your book? How can i purchase it?
I would purchase your book but it would not get here in time.
This is urgent.
> …i am in a very big rush…
Sure, I understand. Most folks were before the book was published, hence all of the "marketing" I did before hand. Like you, more and more folks are realizing that they need it, but usually only AFTER they realize that they need it.
> What is the site for the publisher where i can download the e version of
> your book? How can i purchase it?
I've had this linked off my blog almost since the book was published
http//
HTH,
Harlan
Just ordered your book Harlan. It better be worth it! wink wink (I know it will).
Tip for UK readers - PC World seem to be the cheapest place to get it, £5 cheaper than Amazon, but it's on limited stock so hurry, hurry, hurry!
It'll be worth it if you actually use it…
Don't worry, I certainly will.
If it gave me some pointers on part 2 of my EnCE then that would be a good start!
> If it gave me some pointers on part 2 of my EnCE then that would be a good start!
Sorry, can't help you there, my friend. I have no idea what's *on* the EnCE, and that's not even the goal of my book. The intention of my book is to give you information you need for forensic analysis, *regardless* of the tool used. While I use some examples with ProDiscover, the book is NOT vendor specific. If you're looking for information on how to use EnCase or pass the EnCE, my book is not for you, and has never been advertised as such.
Harlan
Ha! I bought it on the review blerb "Registry chapter alone".