Does anyone have any better knowledge than I about the conditions upon which the last write timestamp of MountedDevices is updated…..?
I am plotting the historical use of a USB device inserted to a host PC - or as much of it that I can via the system hive and NTUSER, both live and in restore points.
I have always considered that the last write time of the System\MountedDevices key to be indicative of when the last time a USB device was mounted at whatever drive letter. But, on this PC I am seeing devices in System\CurrentControlSet\Enum\USBSTOR with times later than that in MountedDevices. E.g. (output from RegRipper);
MountedDevices
LastWrite time = Thu Aug 19 095248 2010Z
Device \??\STORAGE#RemovableMedia#7&abcdefgh&0&RM#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
\??\Volume{abcdefgh-e0db-11de-b6c0-000ffe9153dc}
\DosDevices\E
Device \??\STORAGE#RemovableMedia#7&ijklmnop&0&RM#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
\??\Volume{ijklmnop-018f-11de-b634-000ffe9153dc}
\DosDevices\G
USBStor
ControlSet001\Enum\USBStor
Disk&Ven_Ut165&Prod_USB2FlashStorage&Rev_0.00 [Mon Dec 7 175449 2009]
S/N 0xxxxxxxxxxx&0 [Tue Aug 24 130453 2010]
FriendlyName Ut165 USB2FlashStorage USB Device
ParentIdPrefix 7&abcdefgh&0
Disk&Ven_SanDisk&Prod_U3_Cruzer_Micro&Rev_4.05 [Mon Feb 23 105614 2009]
S/N 0xxxxxxxxxxxx&0 [Wed Aug 25 121426 2010]
FriendlyName SanDisk U3 Cruzer Micro USB Device
ParentIdPrefix 7&ijklmnop&0
Therefore according to this output, the last device was mounted and allocated a drive letter on 19th Aug 2010, but the first time that the two devices that accord with drives E\ and G\ via their ParentID Prefix were inserted since the last reboot (according to USBSTOR) was 24th Aug 2010 and 25th Aug 2010 respectively…
Many thanks.
I have had it happen when multiple users use the same box. Example was when I was investigating the subject user and the admin of the system "helped" me by getting the system ready, all booted up and logged in to admin for when I arrived on-site….At that point the USB reg keys were all time stomped to that date and time.
I have had it happen when multiple users use the same box. Example was when I was investigating the subject user and the admin of the system "helped" me by getting the system ready, all booted up and logged in to admin for when I arrived on-site….At that point the USB reg keys were all time stomped to that date and time.
In this case - I guess - it might have been useful to investigate restore points registry hives with tools such as ripxp. I happened to find it very useful when multiple operations (usb insertions, program launch, etc…) had been issued on systems where restore snapshots had luckily been automatically stored.
But I think that Harlan is the best voice if you want reliable and well written info on this topic! -)
Paolo
Pakim - trust me I thought of that - Win 7 box and no restore points wink ….hopefully a tool like Shadow Analyzer will be out soon!
Pakim - trust me I thought of that - Win 7 box and no restore points wink ….hopefully a tool like Shadow Analyzer will be out soon!
Ah, sure… in my mind I was thinking about XP, forgetting that WIN7 is growing steeper nowadays! roll
Kids today and their newfangled OS's! *shakes fist*
Well it is the cycle of forensics challenge, overcome, accept…..take for granted ) Wash and repeat.
And on the shadows topic
http//