Are there any tools that can determine the date and time a USB drive was pluggged in a specific Win XP machine? Or am I asking for the impossible? I trawled the archives and most said its a no-go but thought I would check?
Actually, this has been addressed multiple times right here on this forum.
The book, "Windows Forensic Analysis", covers this in detail…
This might be of use to you - http//
Bencle,
Quick question…at the page you linked to, it says the following
"Specifies the date/time that the device was installed. In most cases, this date/time value represents the time that you first plugged the device to the USB port. However, be aware that in some circumstances this value may be wrong. "
There's no specification as to when or under what conditions these times may be wrong…so why are so many people recommending the tool? I'm just curious….
I recommend RegRipper.
As Harlan covers most eloquently in his aforementioned book, you can ascertain the timestamp associated with the time the USB was first inserted and, by following the evidence trail, the time it was last inserted.
I may be wrong but i believe the date it uses is the Creation part of the MAC time for the registry key. And may be liable to inconsistancies.