Join Us!

Question on USB dri...
 
Notifications
Clear all

Question on USB drive  

  RSS
psl485
(@psl485)
New Member

Hello,

I am trying to track the first time a USB Drive driver was installed on a Windows 7 computer. I located the Container ID and Class GUID for the USB drive, but there was no serial number linked to it in the Enum/USBSTOR registry file. I also located the hardware ID in the Enum/USB registry file. I then tried to locate the driver installation in setupAPI.DEV.log. in the Root/Windows/INF folder to view it but it was not there. The only setupapi files that were in the folder were setupapi.ev1, setupapi.ev2, setupapi.ev3 and setupAPI.offline.log.

Is it still possible to track driver installation without the serial number?

Does this mean that there is not a setupAPI.Dev.log file?

Also is there another way to locate the time and date of the USB driver installation?

Thanks

Quote
Posted : 14/10/2014 9:24 pm
keydet89
(@keydet89)
Community Legend

Did you check the DriverFramework-UserMode/Operational.evtx Windows Event Log file?

Did you create a timeline using just the contents of the above .evtx file, the Software, System, and NTUSER.DAT hives?

ReplyQuote
Posted : 15/10/2014 1:27 am
Deltron
(@deltron)
Active Member

You check the cheat sheet for any locations you may of missed
http//digital-forensics.sans.org/media/poster_fall_2013_forensics_final.pdf

ReplyQuote
Posted : 16/10/2014 1:47 am
MissIcey
(@missicey)
New Member

That poster is really great, Thanks Deltron!

ReplyQuote
Posted : 19/10/2014 11:16 pm
Share: