same usb at the sam...
 
Notifications
Clear all

same usb at the same time !!

17 Posts
7 Users
0 Likes
2,773 Views
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

You are seemingly still putting in the same basket *any* trace related to the given date, without considering the time

From the screenshots of the various tools you posted, it seems to me that a line must be drawn.

With reference to the USB Detective screenshot you posted here
https://www.forensicfocus.com/Forums/viewtopic/p=6594615/#6594615

You have a set of timestamps, ALL on 2018/03/20, that can be divided in two
1) 82520 AM
2) various times in the interval between 10305 PM and 15050 PM

Timestamps in #1 are not backed up/confirmed by *anything else* (so it is likely that they do not represent what happened), timestamps in #2 have some confirmations, so it is likely that they are an accurate representation.

Timestamps related to Registry backup are much earlier (still on the same day) between 55926 AM and 61654 AM, and as well the attempt to Windows update is at 75934 AM, so all this activity should be unrelated.

Again, you need to make a COMPLETE TIMELINE and from that possibly obtain some more based theory of what happened.

As a side note I find if not suspect at least "queer" that (with the owner in jail) the system was on (at all) but particularly that it was on so early as (at the very least) before 6 o'clock in the morning.

jaclaz

 
Posted : 04/06/2018 10:56 am
(@qassam22222)
Posts: 155
Estimable Member
Topic starter
 

how i can create a timeline ? i try log2timeline it's create a big size CVS file 2GB i can't open it with excel !!
is there any way to filter it ? or open it via any free tool ?
or is there any other method or tool to create timeline ?

 
Posted : 08/06/2018 1:11 am
UnallocatedClusters
(@unallocatedclusters)
Posts: 577
Honorable Member
 

Qassam,

As my friend and mentor Jaclaz would say, “you are looking at this backwards 😯 “.

What series of human activities are you trying to prove or disprove happened?

Are you, for example, attempting to determine if there is evidence on the computer beyond a reasonable doubt that a specific individual (1) logged into a Windows user account (confirm Windows SID first! Also determine what other Windows SIDs were also logged in concurrently), the (2) launched a browser and logged into a VPN service (check browser caches and saved passwords), then (3) searched for contraband torrents (browser history caches), then (4) downloaded a specific torrent file (check internet explorer history), then (5) launched eMule (check MAC metadata for eMule .lnk file and .exe files and registry values), then (6) downloaded contraband files, etc etc. etc.

As independent experts we should only form opinions based upon evidence that any qualified peer could 100% replicate.

I am confused why your coworkers are now “looking at other people”. Are you not the computer forensic examiner on the case? What specific activities (and supporting forensic evidence) are your colleague basing their suspicions on? Is it something you could verify or prove false through your own forensic analysis? I would start there.

 
Posted : 08/06/2018 2:12 am
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

how i can create a timeline ? i try log2timeline it's create a big size CVS file 2GB i can't open it with excel !!
is there any way to filter it ? or open it via any free tool ?
or is there any other method or tool to create timeline ?

http//record-editor.sourceforge.net/Record02.htm

http//recsveditor.sourceforge.net/

jaclaz

 
Posted : 08/06/2018 8:57 am
(@qassam22222)
Posts: 155
Estimable Member
Topic starter
 

hello friends sorry for the late replay …. but i was in vacation for 15 days )
i convert the whole image to timeline via log2timeline tool and this the result ….

for the usb's at the same time

i found this 2 event's in timeline before multi usb's start appear in the log …

1- [102 / 0x0066] Source Name Microsoft-Windows-TaskScheduler Strings ['MicrosoftWindowsSystemRestoreSR' 'NT AUTHORITYSYSTEM' '{C227776E-C9C8-4755-8D76-5301D50CA1DF}'] Computer Name MOFFICE_2.****.ps Record Number 104352 Event Level 4

2- [201 / 0x00c9] Source Name Microsoft-Windows-TaskScheduler Strings ['MicrosoftWindowsSystemRestoreSR' '{C227776E-C9C8-4755-8D76-5301D50CA1DF}' 'CWindowssystem32rundll32.exe' '0'] Computer Name MOFFICE_2..ps Record Number 104351 Event Level 4

according to microsoft this event's mean

102 means the Task Completed

201 means the Action Completed

the windows start update registry values from ( 2018-03-20T082512.997855+0200 ) to 2018-03-20T082608.763045+0200 then to this event id

[1016 / 0x03f8] Source Name Microsoft-Windows-ReadyBoost Strings ['2018-03-20T082608.047003600Z' '0' '702' '1'] Computer Name MOFFICE_2.**.ps Record Number 1611 Event Level 4

1016 i dont now what this event mean (
8224 Event ID 8224 is simply information, indicating that VSS is done doing what it was doing, and has now gone idle.

does this even't and process clear why multi usb's appears by autopsy and can u explain to me what is happen here ?

then after i goo deep in logs i found that computer is being used at that time )

as u c there are some portable disks and usb's plugged to the pc in different times …
another confirmation from the log

and another

and logs shows that some one running ipconfig command on the system and save the output to the C/ driver

I think this is enough evidence that there are other people involved in this case ?

 
Posted : 25/06/2018 8:54 am
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

And, AGAIN, you are mixing what happened on the SAME date
1) early in the morning up to 830 AM
2) around lunch time, i.e. from 100 to 200 PM

The "MicrosoftWindowsSystemRestoreSR" actions are automated, it is part of the "System Restore" scheduled task.

At that time a VSS (Volume Shadow) Copy was seemingly made, and somehow the process did reset a number of keys related to USB (and non-USB devices).

As well anything marked "WindowsReadyBoost" is "normal" automated activities of the OS.

From what you posted human interaction with the PC was only around lunch time, where some USB storage devices were definitely connected.

BTW the reference to the .JPG on the I volume makes me think that maybe that is the drive letter assigned to a volume on the attached USB disk should allow you to retrieve the disk information from MountedDevices.

jaclaz

 
Posted : 25/06/2018 10:08 am
(@qassam22222)
Posts: 155
Estimable Member
Topic starter
 

And, AGAIN, you are mixing what happened on the SAME date
1) early in the morning up to 830 AM
2) around lunch time, i.e. from 100 to 200 PM

The "MicrosoftWindowsSystemRestoreSR" actions are automated, it is part of the "System Restore" scheduled task.

At that time a VSS (Volume Shadow) Copy was seemingly made, and somehow the process did reset a number of keys related to USB (and non-USB devices).

As well anything marked "WindowsReadyBoost" is "normal" automated activities of the OS.

From what you posted human interaction with the PC was only around lunch time, where some USB storage devices were definitely connected.

BTW the reference to the .JPG on the I volume makes me think that maybe that is the drive letter assigned to a volume on the attached USB disk should allow you to retrieve the disk information from MountedDevices.

jaclaz

thank u very much bro for helping ….
so i will rely on the logs that show that there is a user interaction on the pc in the court because they said that computer was turned off at that date )

i think its time to give the police an order to bring some one )

 
Posted : 25/06/2018 10:47 am
Page 2 / 2
Share: