Using Rob Lee's guide to profiling Windows 7 USB Keys/Thumbdrives, in order to determine the last connected time of a device step 9 states (as one option) to record the date/time of registry key SYSTEM\CurrentControlSet\Enum\USB\VID_XXXX&PID_YYYY
On a Win7 Enterprise SP1 system I'm examining, there are many keys under SYSTEM\CurrentControlSet\Enum\USB, starting with
SYSTEM\ControlSet001\Enum\USB\VID_0000&PID_0000\6&3189bb0f&0&2 and ending with SYSTEM\ControlSet001\Enum\USB\VID_8644&PID_8003\0351400000002218
There are some 35 devices listed under SYSTEM\CurrentControlSet\Enum\USBStor, all of which have corresponding entries in SYSTEM\CurrentControlSet\Enum\USB\
Thing is, all but four of the entries in SYSTEM\CurrentControlSet\Enum\USB\ are dated Mar 5th 2014 @ 194941 - the other four are all dated 7th Mar 2014 although not all with the same time
Can anyone point me in the right to direction to understand how these keys all get the same last write time?
Have used TZWorks utility and double-checked using AccessData Registry Viewer
Cheers
P.S. I haven't looked at the other option Rob Lee suggests - yet
Check to see if there was an update/patch/fix to the target with a same date/time stamp as majority of the keys in questions have. I have seen fixes touch numerous keys' date/time.
Check to see if there was an update/patch/fix to the target with a same date/time stamp as majority of the keys in questions have. I have seen fixes touch numerous keys' date/time.
Thanks, will try on Monday, am away this weekend
)
Have checked Windows Logs (Application, Security, Setup, System, Forwarded) and can't see anything close (within a minute or so) of the timestamps in question.
Have also checked all the other Microsoft-Windows logs (the ones nested in Event Viewer)
Only things remotely close (circa 1 minute away) are event 7036 in System, all relate to Computer Browser entering started/stopped states which I don't believe is related
And I have confirmed that I've reconciled diffences bewteen registry last write times in UTC and Event Logs in local time (Mountain Standard, no daylight savings)
Anyone got any more thoughts? Am running some tests on USB flash drive and USB Enclosure hoping to find more indicators of last connection time, looking at Microsoft-Windows-DriverFrameworks-UserMode for the moment
Cheers
You should find indicators of flash drive connections and disconnections in the Microsoft-Windows-DriverFrameworks-UserMode/Operational event log on a Windows 7 system (assuming this logging is not disabled). I wrote a little bit about this
Hope that helps.
You should find indicators of flash drive connections and disconnections in the Microsoft-Windows-DriverFrameworks-UserMode/Operational event log on a Windows 7 system (assuming this logging is not disabled). ………….
Hope that helps.
Yes just looked at that yesterday afternoon and this morning, and did some tests on one branded flash drive where I compared actions with logged events and am reasonably happy that Event IDs 2010 and 2102 provide indicators of successful connection and disconnection (Safely Remove, Unplug, and Shutdown) respectively. Will look at the links you provided thanks
Is there a similar log for USB HDs? I've done some searching and while
FYI I seldom get my hands on actual external devices, I am often asked to provide an opinion (based on a Windows system or image thereof) about whether and when external storage devices were connected and if possible what they were used for. I'm OK for LNK, MRU Lists (file and application) and JumpLists; and generally am OK with the kind of info that TZWorks, Woan software and others haveprovided parsers for; still struggling to come to terms with ShellBags though as Harlan and others know (
Cheers
Using Rob Lee's guide to profiling Windows 7 USB Keys/Thumbdrives, in order to determine the last connected time of a device step 9 states (as one option) to record the date/time of registry key SYSTEM\CurrentControlSet\Enum\USB\VID_XXXX&PID_YYYY
I found this
https://
Note that it has only 7 steps.
On a Win7 Enterprise SP1 system I'm examining, there are many keys under SYSTEM\CurrentControlSet\Enum\USB, starting with
SYSTEM\ControlSet001\Enum\USB\VID_0000&PID_0000\6&3189bb0f&0&2 and ending with SYSTEM\ControlSet001\Enum\USB\VID_8644&PID_8003\0351400000002218There are some 35 devices listed under SYSTEM\CurrentControlSet\Enum\USBStor, all of which have corresponding entries in SYSTEM\CurrentControlSet\Enum\USB\
Thing is, all but four of the entries in SYSTEM\CurrentControlSet\Enum\USB\ are dated Mar 5th 2014 @ 194941 - the other four are all dated 7th Mar 2014 although not all with the same time
Can anyone point me in the right to direction to understand how these keys all get the same last write time?
This is actually a pretty common occurrence. I saw that someone suggested looking for an update, and I saw your responses. I would suggest that rather than looking just in the Windows Event Logs, craft a full timeline (include EVTX records AND file system metadata), and I think you'll likely see file creations/modifications.
For the last connected times, did you look at the subkeys under the DeviceClasses keys, and get the LastWrite times?
Also, something I've found to be very fruitful is to create that full timeline; in one particular instance, I had a piece of malware on a system, and was being told that everyone who'd seen that on systems before had found it to be the result of spear phishing…I found that on the system I was looking at, the user had connected a thumb drive and installed the malware from that device.
I found this
https://blogs.sans.org/computer-forensics/files/2009/08/usb_device_forensics_vista_win7_guide.pdf Note that it has only 7 steps.
Bearing in mind internal metadata and also the URLs of those two documents (one refers to Aug 09, the other to Sep 09), which one would you suggest a relative rookie could/should use as a template?
This is actually a pretty common occurrence. I saw that someone suggested looking for an update, and I saw your responses. I would suggest that rather than looking just in the Windows Event Logs, craft a full timeline (include EVTX records AND file system metadata), and I think you'll likely see file creations/modifications.
For the last connected times, did you look at the subkeys under the DeviceClasses keys, and get the LastWrite times?
Yes am aware of the DeviceClasses keys and relevance, was just wondering what caused the simultaneous timestamps I referred to earlier.
Maybe I've misunderstood your response about file system metadata. I have the metadata I need for JumpLists et al, if you mean metadata from what in XP would have been Windows Update logs (filename starting KB, exact location I can't recall and don't have accesss to an XP system at the moment) - I haven't found equivalents of these in Win7 and would be happy to receive any assistance )
Some of this is a diversion from my original challenge (identify external media used and any files accessed on it), as the DeviceClasses keys provide an alternative option and EMDMGNT thankfully provides a link to the Volume Serial Numbers which various parsers pull from JumpLists and LNKs. Job is done, I just wanted to understand the concurrent timestamps in USB and also now would like to know the location of any Windows updates support files which relate to the WindowsUpdateClient details in System log.
Cheers