Hi, I'm looking at a case (in Encase v5.05c) and have noticed that a usb removable storage device was used. Does anyone know how I can tell WHEN this was first plugged in OR get any other date related info as to when it was last used, etc.
Oops! Just realised there are other posts containing helpful info on this board. Only fools rush in….
Email me at keydet89 at yahoo dot com if you're still having trouble with it…this is covered in detail in my upcoming book.
H
Book? wink
Yes. I've blogged about it.
I'm looking forward to this book when it comes out, but in the mean time, there's a really good white paper on this site written by Nathan Weilbacher that explains a good bit.
Jerry,
I found Nathan's paper on LNK files…where's his white paper on USB devices?
Thanks,
Harlan
Hi,
If this is a Windows computer then you might look for the setupapi.log file which contains a log of devices being attached to the computer and Windows attempts to install a driver for those devices. This file is really a mass of text but you can of course search it using a keyword. This is a good way of getting a first detected by Windows date (and most likely install).
The second thing you can do is look in the registry to establish what drive letter it was assigned and look through the drive for records from the local file history access (index.dat). Any manual saving or opening of files (via clicking on in Explorer) will be present here.
Steve
Steve,
> …look in the registry to establish what drive letter it was assigned…
Where in the Registry would one look for this?
Thanks,
H
H,
In some cases it is easy, in cases where there are a lot of attached devices it can take some time and may become a process of elimination.
Having established the current control set (which initialise case in EnCase does) you browse under two keys; HKLM/System/ControlSetnnn/MountedDevices to see what drive letters have been assigned. The other keys to check are all under HKLM/System/ControlSetnnn/Enum. The name of the USB device as Windows has put it will be found under the USBSTOR key (although a user could configure a USB drive to act like a fixed disk, in which case it might not appear here). In simple cases the the data contained under the relevant entries of these two keys, which is in unicode will match in some way. In cases where it does not it becomes a case of trying to match up the other drive letters to the installed devices and you are then left with one drive letter and the one (USB) device. Where there are multiple partitions on a single hard drive it is possible to identify what drive letters were assigned to each partition by looking at the starting cluster of each partition and looking for the hex strings under mounted devices that match. The calculation is [starting cluster x 2] convert to HEX. You then look for that hex value (running backwards as it is little endian) within each drive letter under the MountedDevices key. By this process of elimination you can work out what drive letters remain. CD/DVD type devices are almost always very obvious and of course some devices won't create a drive letter, such as some phones, cameras (they create their own file transfer/browser). Eventually you will be left with fewer devices and drive letters to match up until they are all matched.
There is one side issue…..previous control sets might show the same device having been assigned a different drive letter at some point. It's a bit like the issue of how do we know the BIOS date and time were always correct.
If you work out the drive letter assigned to your USB pen drive and you then find file access entries on the Windows partition relating to that drive letter and maybe the files on the USB drive will match the entries on the Windows partition, then this would be the sort of evidence you would want to have to show the USB drive in use.
It's a bit of a difficult thread to explain, sorry if it hasn't read too smoothly. I guess this is why we still go on training courses so that people can show us rather than type in some instructions. I was shown the method of marrying up drive letters to devices and it still wasn't all plain sailing.
Steve