I need some help.
We have a an investigation which the computers registry do not contain a record that does not contain a record of an external USB HDD that we know had been attached?
We can see that other external USB HDD and flash memory keys have been attached but this one is not listed.
Can anyone help?
setupapi.log file?
Out of curiousity, is there any evidence of a wiping or cleaning program? It'd be pretty odd for the device to be plugged in, but not be listed in the registry.
Even if it was wiped, you might be able to find artifacts. Go to a similiarly configured computer, plug in a similiar drive and watch what happens with procmon, or some sort of snapshotting program. You can then look for those artifacts that may be stored elsewhere (other than USBStor) in the registry.
How do you know for sure the drive was plugged in? Could you have bad information in this respect?
A couple of thoughts…
1. As mentioned, did you check the setupapi.log file?
2. Were you looking only in the USBStor key? If so, check the DeviceClasses subkeys for volumes and drives.
3. Run Regslack against the hive…see if you can find indications of the deleted keys.
4. Finally, reconsider how you "know" that the device had been connected….
OK, back to basics - what OS/Release are you talking about here? I only have experience in XP with a little W7, but if Cleaning programs were run then I'd expect setupapi.(dev.)log to be zero'd.
What kind of user do you have? Could he/she have booted from something other than the native OS?
But if you're positive that the device had been connected to that system I'd venture that
* It was never connected and recognised by the native OS (but could have been by a different OS e.g. a Linux variant or a Windows boot CD)
* The OS has been re-installed since last connection, hence it wouldn't show up in the new config/registry/setupapi
HTH
One other thing - well, more than one.
* Have you considered Restore Points or VSS as an avenue to investigate?
* If you have a time when you think the device was last connected, is there any circumstantial evidence e.g. in LNK files (inluding in RPs and unallocated space?) which doesn't correlate to any other system/user activity
* Event Logs?
Cheers
Sorry meant VSC oops
Couple of things to reiterate
1. HOW was the usb plugged in - via hub or directly - that *may* change the way it is registered.
2. HOW do you know that the usb device in question was plugged into the computer
a) The user told you? How credible is the user? Do they have a reason to mislead you?
b) Did you see it yourself?
c) Are you sure that the usb device labeled "XYZTech" actually shows up as XYZTech in the registry? In short, is it possible that you are actually seeing the drive in the registry but you don't recognize it?
Just some things to think of….
Good luck!
-=A=-
Thanks for everyones responses. You have lead us in a new direction and are checking the suggestions.
As far as I know there were no wiping programs on the HD. I didn't work on this very long so I don't have the entire picture.
Would be good to know an outcome if you can spare the time )