Dear all,
I would like to know if I could get any piece of data of where a USB flash drive (fat16 ) was plugged in ( I mean the machine info).
Thx
We need some additional information to provide helpful answers.
To start
-Are you looking for information stored on the USB?
-Or on the computer?
-Are you seeking to trace the USB use across several computers?
-If you are looking for information on the computers, what OS?
Also what steps have you taken in your examination or in searching for this information?
I am looking for information stored on the USB and I am seeking to trace the USB use across several computers.
If you have the computer, it's pretty easy to tie it to a thumb drive, but not the other way around. Check out http//
I am looking for information stored on the USB and I am seeking to trace the USB use across several computers.
If a file was created on the USB (on a windows system) you might be able to get permissions? and thus file owner, which would give a machine id.
i havent tested this, so i dont know if it's possible but i think it might be
I would like to know if I could get any piece of data of where a USB flash drive (fat16 ) was plugged in ( I mean the machine info).
Thx
As Patrick4n6 indicated, the process that you need to follow has been covered and published to a pretty decent extent already…"the truth is out there", so to speak. Not only has the checklist been published at the SANS site (as Patrick4n6 linked to…), but I've covered it in my books, and even posted very recently on the subject to my blog
http//
However, all that being said, it's based on the assumption that you're interested in Windows systems…if that's the case, where you look for indications of access to files on the device would be in the shellbags artifacts for each user, Windows shortcut\LNK files in the Recent folder, keys/values in the Registry that include full path information (ComDlg32 on Vista+ systems, TrustRecord data depending upon the version of Office used, etc.), as well as Jump Lists (specific to Windows 7).
I guess the point is that where you look on a system and what you're looking for can vary depending upon the OS (Linux, Windows, etc.) as well as the version of the OS.
For example, on Windows 7, you can get the serial number of the device, as well as first time it was plugged into the system, all from the System hive. Within the Software hive, you can get the volume name and serial number (VSN), which you can then use to correlate to various shortcut files (and Jump Lists), if the user accessed files on the device. Using that information, you can then illustrate times during which the device was plugged into the systems, as well as data that was on the drive. And if you actually have the drive, you can determine if it had been reformatted since it was used.
Hi All,
If I have gather information of all USB devices from the system hive from the suspect's computer and I have the suspect's USB drive, how do I determine if the suspect's USB drive was used?
Do I plug in the suspect's USB drive (write blocked) to a PC and then extract the usb information from the PC?
Thanks.
Regards