Hi,
Is there open source software available that will let me
i) Trace the history of external drive usage (USB etc.)
ii) Trace the history of a user accessing a particular file on the computer.
thanks!
Afternoon
i) Trace the history of external drive usage (USB etc.)
Run Regedit
HKLM, System, Current Control Set, Enum, USBSTOR, (Data located in here)
If your not looking for this information on the local machine, then export the registry data from the forensic image, and use something like FTK Registry Viewer. or any free registry viewer will do.
Hope this helps
Tom
thanks Tom!
Hi,
Is there open source software available that will let me
i) Trace the history of external drive usage (USB etc.)
ii) Trace the history of a user accessing a particular file on the computer.thanks!
RegRipper has plugins for i), as well as ii).
have a look at the Open Source Theology publication wink
There's also a tool called USBDeview for i)
Freeware, available
It can be used on live systems or on the SYSTEM registry hive.USBDeview.exe /regfile "c\temp\regfiles\SYSTEM"
well u can try Regripper.
U can also extra info about usb drive by using - "usbhistory". (its a free tool)
I would have to agree with keeper. USBDeview is one of the easiest that I have come across. I am working on something similar myself, and have found it to be easy and accurate.
Mitch Machor
Machor Software
Assuming we're talking windows, understanding the registry is the most important factor here.
USBdeview just rips the information straight from the registry anyway, but knowing where it gets that information, how it is written etc is something you should know if using the data for evidence.
check out this whitepaper
http//www.forensicfocus.com/a-forensic-analysis-of-the-windows-registry