Notifications
Clear all

USB Artefact query

Cults14
(@cults14)
Active Member

Hi

 

I'm looking at potential removal of IP at termination, analysis of LNK and Jumplists shows that files were accessed on a Seagate Backup Plus in the week before termination, also likely on another one (volume serial number is different) about a month before termination. 

However there is no sign of any Seagate drive in setupapi.dev.log - worth saying that I had to patch the actual setupapi.dev.log file together with the one that gets created when it reaches x size and there were errors at the end of the big one.

Also, Removedev (using RegRipper) shows this (example) for the USB devices I can see in setupapi:

Device : DISK&VEN_LEXAR&PROD_USB_FLASH_DRIVE&REV_1100
LastWrite : Mon Jul 6 20:05:20 2020 (UTC)
SN : VVK63MNI951S3SDOVGFZ&0
Drive : Lexar

But this for Seagate:

Device :
LastWrite : Wed May 15 13:23:37 2019 (UTC)
SN :
Drive : Seagate Backup Plus Drive

Device :
LastWrite : Thu Sep 12 18:40:21 2019 (UTC)
SN :
Drive : Seagate Backup Plus Drive

Device :
LastWrite : Tue Oct 8 18:09:26 2019 (UTC)
SN :
Drive : Seagate Backup Plus Drive

 

Does anyone recognise this behaviour?

 

Windows 10 Enterprise.  Windows DriverFramework is disabled 🙁

Quote
Topic starter Posted : 02/03/2021 8:44 pm
Share: