Forums
Main Category
General (Technical,...
USBSTOR missing in ...
 
Notifications
Clear all

USBSTOR missing in Registry

 
Page 1 / 2
General (Technical, Procedural, Software, Hardware etc.)
Last Post by Cults14 13 years ago
13 Posts
9 Users
0 Reactions
3,577 Views
RSS
 forensic1zn
(@forensic1zn)
Eminent Member
Joined: 14 years ago
Posts: 22
Topic starter 19/03/2012 5:32 pm  

I have received a computer to conduct forensic analysis on to see if any USB devices have been plugged into the computer. I have analyzed the windows system registry file and cannot locate the USBSTOR folder under Controlset\Enum\. I have also looked for setupapi.dev.log file and cannot locate it under the Windows\inf directory. Lastly i checked the recent folder, this is also clean.

I have not located any system cleaners as yet.

Are there any other places that I can check for this information? Please advise.


   
Quote
 rhouse
(@rhouse)
Active Member
Joined: 15 years ago
Posts: 7
19/03/2012 7:34 pm  

Have you looked through prefetch files to see if any possible cleaning tools were used?


   
ReplyQuote
 Anonymous 6593
(@Anonymous 6593)
Guest
Joined: 17 years ago
Posts: 1158
19/03/2012 9:36 pm  

I have analyzed the windows system registry file and cannot locate the USBSTOR folder under Controlset\Enum\.

What particular version and release of Windows is this?


   
ReplyQuote
 forensic1zn
(@forensic1zn)
Eminent Member
Joined: 14 years ago
Posts: 22
Topic starter 20/03/2012 10:28 am  

The following details on the OS.

OS Windows xp with service pack 3
Current Version. 5.1


   
ReplyQuote
 forensic1zn
(@forensic1zn)
Eminent Member
Joined: 14 years ago
Posts: 22
Topic starter 20/03/2012 10:30 am  

I havent conducted much analysis on the prefetch files. i have over 1000 of them. is there a specific one that i can look at?


   
ReplyQuote
 JLEllis
(@jlellis)
Active Member
Joined: 14 years ago
Posts: 16
20/03/2012 11:13 am  

There is an anti-forensics article on this topic.

http//www.anti-forensics.com/delete-usb-device-history-from-the-windows-registry-usbstor-key-and-the-setupapilog


   
ReplyQuote
 Earn
(@earn)
Estimable Member
Joined: 20 years ago
Posts: 146
20/03/2012 8:28 pm  

There is an anti-forensics article on this topic.

http//www.anti-forensics.com/delete-usb-device-history-from-the-windows-registry-usbstor-key-and-the-setupapilog

Linky no worky


   
ReplyQuote
 Anonymous 6593
(@Anonymous 6593)
Guest
Joined: 17 years ago
Posts: 1158
20/03/2012 8:52 pm  

Linky no worky

Go for waybackmachine . archive .org , and search for the link.


   
ReplyQuote
SleepParalysis
 SleepParalysis
(@sleepparalysis)
Eminent Member
Joined: 18 years ago
Posts: 42
21/03/2012 3:23 am  

Link works now, hosting bill wasn't paid.


   
ReplyQuote
keydet89
 keydet89
(@keydet89)
Famed Member
Joined: 21 years ago
Posts: 3568
21/03/2012 4:14 am  

I have received a computer to conduct forensic analysis on to see if any USB devices have been plugged into the computer. I have analyzed the windows system registry file and cannot locate the USBSTOR folder under Controlset\Enum\.

Did you happen to run regslack to see if the keys had been deleted?

Have you checked any of the other keys associated with USB device analysis, specifically the DeviceClasses subkeys? MountedDevices values?

I have also looked for setupapi.dev.log file and cannot locate it under the Windows\inf directory.

As this is an XP system, you're not interested in a file named "setupapi.dev.log"…that's the log file used by Windows 7; for XP, you're interested in setupapi.log. If you haven't found either, have you found any indications of the file having been deleted, such as fragments located in unallocated space?

Lastly i checked the recent folder, this is also clean.

I have not located any system cleaners as yet.

Have you checked the UserAssist subkeys? MUICache values?

I think at one point in the thread, you'd mentioned having about 1000 Prefetch files; have you found any that may be associated with tools such as CCleaner, Window Washer, etc?


   
ReplyQuote
Page 1 / 2
Forum Jump:
  Previous Topic
Next Topic  
Share: