Hi, hope someone can help and also hope that I've not missed something obvious. I'm examining an image of a laptop drive which was used by a recently-departed employee who is suspected of moving confidential information out of the company. Quite apart from the fact that on the day before he left he appears to have connected a new U3 device and shortly afterwards run East-Tec Eraser, I don't understand the following.
Using RegRipper , in System hive (USBStor ControlSet001\Enum\USBStor) 61 USB devices are listed. Of these, 57 have exactly the same Last Write Time of Mon Apr 19 143234 2010. The other 4 all post-date these entries, as follows
CdRom&Ven_Walletex&Prod_WalletFlash&Rev_PMAP [Mon Aug 9 150745 2010]
Disk&Ven_Walletex&Prod_WalletFlash&Rev_PMAP [Mon Aug 9 150745 2010]
Disk&Ven_SanDisk&Prod_Cruzer&Rev_8.02 [Thu May 6 221559 2010]
Disk&Ven_Kingston&Prod_DataTraveler_2.0&Rev_1.00 [Tue May 4 211443 2010]
The user had his laptop for about 4 years, there are three setupapi.log files (including .0.old and .1.old) and for example one of the devices with Apr 19th Last Write Time was installed on 18th June.
On Apr 19th there are a large number of Windows Updates reported by RegRipper in \Software\Microsoft\Windows\CurrentVersion\Uninstall, including XP3 update, various security updates for Windows XP, and various updates Windows XP. These commence at 153417 and finish at 155857.
FYI the user appears to have logged off for the last time on August 10th.
So my question is, what could have caused these simultaneous date/time stamps? I've tried Googling and also searched in FF but can't see anything related to this. Any pointers?
OS is XP3 SP3
Thanks
I've seen this a couple of times before on XP, albeit that it has not been of relevance in the cases.
My theory (and it is untested to date) is that a SP upgrade is responsible. Looking at your timestamps, that may fit assuming the laptop's time was set at BST and RegRipper is reporting UTC.
Check your restore points. I had the same issue where a driver update for a USB Microsoft Mouse reset all the USBSTOR timestamps to the same value. If you can find a backup of the registry from a restore point prior to the update, you may be able to get the info you need.
–Chad
Chad, Fab4 - thanks for the pointers. I also noticed that the last entry in UserAssist prior to Apr 19th is on Fri Apr 16th, "UEME_RUNCPL"C\WINDOWS\system32\main.cpl",Mouse". Mebbe just co-incidence.
FYI, in his documentation for RegRipper Harlan says that RegRipper reports all times in UTC.
Being a relative newcomer, guess I'll have to go and research Restore Points now )
Hi, hope someone can help and also hope that I've not missed something obvious. I'm examining an image of a laptop drive which was used by a recently-departed employee who is suspected of moving confidential information out of the company. Quite apart from the fact that on the day before he left he appears to have connected a new U3 device and shortly afterwards run East-Tec Eraser, I don't understand the following.
…snip…
So my question is, what could have caused these simultaneous date/time stamps? I've tried Googling and also searched in FF but can't see anything related to this. Any pointers?
After reading your post a couple of times, I'm left wondering…what are you trying to determine or demonstrate?
I guess what I'm wondering is, given what you'd presented about your case (great job on including the OS, BTW…thanks, that's helpful), what are you trying to show?
Are you trying to demonstrate the last time that these devices were connected to the system? I mean, you're post is thorough, and seems to be going in that direction, but b/c you're looking at the contents of the USBStor key, it seems that you're interested in something that doesn't necessarily apply to the case. After all, it's very well and thoroughly documented that if you're trying to show when the devices were last connected to a system, you do NOT look in the USBStor key.
To directly address your question, though, I've seen these circumstances before, but to be honest, since the finding was not pertinent to the case, its not something I put a lot of effort into researching.
HTH,
h
…hhhhmmmm….
Harlan, thanks for the reply, always honoured when you take an interest. You're right of course, what I noticed in terms of LastWrite time for the USB devices in USBStor is not directly connected to the primary aims of the investigation.
Which were (a) to have a look at Recent Documents to see if there were any indications of files having been saved (not copied/drag&drop etc) on external media and (b) looking via NetAnalysis for file access. My feeling as soon as I saw the use of East-Tec Eraser was that it would have obliterated anything useful in this regard if the user had his brain in gear, and so far I've been proven correct ( . Installing and running Eraser is in itself at artefact, it would have helped if there had been some IE history to show access to East-Tec's site around the same time (circumstantial I know) but I don't even have that.
The user however wasn't quite as clever as he thought as he used IE after Eraser and has left behind some clues as to pages he visited on an internal web-site with specific information, although that's all they are, clues.
To answer your question more directly, I was looking at USBStor (while FTK was processing the Image) to get an indication of what devices had been used and a rough time frame - any further analysis and I'd have looked elsewhere. When I saw the simultaneous LastWrite times for so many devices I wondered what possible causes might have been, hence posting. Just in case I came across it again, especially if there had been no subsequent USB LastWrite times.
I'll document the settings for Eraser in my report but this investigation is going nowhere other than proving a useful learning exercise for me.
Hope this clarifies
Regards
To answer your question more directly, I was looking at USBStor (while FTK was processing the Image) to get an indication of what devices had been used and a rough time frame - any further analysis and I'd have looked elsewhere. When I saw the simultaneous LastWrite times for so many devices I wondered what possible causes might have been, hence posting. Just in case I came across it again, especially if there had been no subsequent USB LastWrite times.
There may be a number of possible causes for this…including updates, etc. I think that due to the fact that these keys are not directly pertinent to the majority of what's looked at with regard to most analyses, it hasn't been pursued.
I haven't run across this eraser program before…did you try using Regslack?
Harlan, 'fraid I'm only part-time at this - first investigation since May ( - and RegSlack's not something I've used or come across. Lack of technical knowledge could be about to get the better of me but I'll do some research.
On Apr 19th there are a large number of Windows Updates reported by RegRipper in \Software\Microsoft\Windows\CurrentVersion\Uninstall, including XP3 update, various security updates for Windows XP, and various updates Windows XP. These commence at 153417 and finish at 155857.
snip
So my question is, what could have caused these simultaneous date/time stamps? I've tried Googling and also searched in FF but can't see anything related to this. Any pointers?
The answer to your question is contained in your background information.
Thanks
You are welcome.