hello, i have a question regarding tracking the activies of removable devices on a system and im wondering if ive missed any areas out. So far I have come up with the following ways (OS is XP/Vista)
Registry- serials No, pluggin times etc
link files - files and so on
prefetch files -
Are there any other artifacts maintained by XP/Vista which can be used to trace USB activity?
thanks
such as…?
Have you read "Windows Forensic Analysis"?
Have you read "Windows Forensic Analysis"?
Personal opinion here - do people think the board is more useful if people were pointed to resources which they have to pay for (such as keydet89's book, good as it is) or free resources (such as their experience) ?
Just wondering!
For the OP, what about setupapi.log, Event Logs and application logs? And there is a brief bit
Personal opinion here - do people think the board is more useful if people were pointed to resources which they have to pay for (such as keydet89's book, good as it is) or free resources (such as their experience) ?
That is really a two edge sword. If a person has done extensive research and written a book or paper that covers a particular subject that person should be compensated so that in some small way they are encouraged to continue to research and hopefully continue to enhance the community. On the other side, this or very similar questions have been asked and answered so many times now that I am surprised that people on this forum are still civil enough to not just answer "STFA". So if H gives a gentle nudge toward suggesting his book or one of his freely distributed tools instead of posting STFA, maybe the OP would be encouraged to do some research (or additional research) rather than just relying on what might or might not be a well reasoned and thoughtful answer.
Kind of the whole, "Give a man a fish . . . "
> …that person should be compensated…
While I greatly appreciate BitHead's sentiment, my posting was more to the point of (as BitHead continued with in his post), if it's already been written about and documented by someone, why should it have to be to rewritten again in this (or another) forum, simply because someone doesn't want to be bothered with searching, reading, and processing the already-published information?
As BitHead pointed out, some of the questions asked require a great deal of research to answer, and often require an encyclopedic response, as well. So if this response is written once (or twice, or whatever) and someone posts to a forum looking for the answer to be written again…well, I think you can see where I'm going with this…
On a side note, though, BitHead does have another point…compensation. At some point, conducting research and publishing the results gets the author to the point of, "why should I keep doing this for free…??"
Just a thought, guys…
thanks for the replies,
""because someone doesn't want to be bothered with searching, reading, and processing the already-published information?""
yes i read the book and it was very good covering lots of good points regarding devices in the registry. I found it very useful. I was basically just wondering if any other system files retain traces of volumes the way that link and prefetch files retain volume serial numbers.
ps… cheers jonathan i just noticed ur link
Tooty…
Your original question included, "…i have a question regarding tracking the activies of removable devices on a system…".
Your latest post asks, "I was basically just wondering if any other system files retain traces of volumes…".
These are somewhat different questions. Volumes are tracked in both the System hive file, as well as the NTUSER.DAT file. Volumes may also be tracked in other files, depending upon what's installed on the system.
I thought the question was about the forensic analysis of 'tracking devices' like the kind used in spy films, lol!
Advertisement does get repetitive…