Hi all,
Just a quick question really. I spent the best part of yesterday even reading a pdf called Tracing USB Device artefacts on Windows XP by Victor Chileshe Luo. It was really interesting and got me thinking how if the same could done with Ubuntu?
Now I checked Ubuntu's syslog and that manages to recongise a device has been plugged in. Is there anywhere elese I could search within Ubuntu for more info? ie another log?
Thanks in advance!
Nathan,
If nothing else look into the /etc/blkid.tab and /etc/blkid.tab.old files.
Cheers!
farmerdude
Apologies for the delay farmerude.
Thanks for the advice. Will most defiantly give that a shot!
Nathan
Did you look at dmesg? This, typically, records when devices are detected by the OS.
Hi Nathan,
No worries. blkid.tab and blkid.tab.old will wait for you )
While the contents of 'dmesg' are volatile and soon to be forgotten, blkid.tab files are there until something forces them to change or go away. )
Cheers!
farmerdude
Apparently not anymore!
The below is from
The system frequently invokes blkid, however it invokes it in "direct
probe" mode and stores the results in the udevdb - which is where all
modern software gets the information.So it's quite normal for blkid.tab to be a dangling symlink until an
application that hasn't been ported to udev runs blkid (at which point
it's populated)The reason you don't see one is because most things have switched to
udev
I have just verified this on my Ubuntu 9.10 (x64) box which has USB devices plugged in and out of it all the time.
I have not had the chance to look at "udev" yet.
Stu
While the contents of 'dmesg' are volatile and soon to be forgotten, blkid.tab files are there until something forces them to change or go away. )
True. I was suggesting "in addition to" not "instead of" blkid.
As for "soon to be forgotten", modern Linuxes have fairly large kernel buffers. I have some systems that have been up for over a year and I haven, yet, flushed the kernel buffer of all of the records from the bootup.
I also have systems where there exists no /etc/blkid.tab or /etc/blkid/blkid.tab (for FHS compliant Linuxes) after a USB insertion.
My interpretation of the original question was "If I have to analyze a Linux system where can I find historical USB information". With that, I have found much more information in the blkid.tab files than in the system messages over any period of time.
Cheers!
farmerdude
My interpretation of the original question was "If I have to analyze a Linux system where can I find historical USB information". With that, I have found much more information in the blkid.tab files than in the system messages over any period of time.
As they say, "your mileage may vary.
lol
Thanks again for your help guys. Much appreciated, especially as I'm a newbie to both computer forensics and Linux. Alot to take in but without a doubt beats by old desktop support job hands down! )