Hi there,
The information is based on a Windows XP machine. In my network (work not home) a virus was found in a drive letter that now doesn't exist. I had a google how to do this and ended up on forensics wikia but it was a little above my knowledge on how to find anything.
I would like to know if possible; what the device was called and when it was plugged in / removed.
Thank you very much for helping a forensics newbie!
Ryan
This explains how to find some registry keys that are created / changed each time a device in plugged in via USB. http//
Problem is I don't know how I can see relevant information, all I can navigate to is the registry keys but then how would I see the info I'm after?
…a virus was found in a drive letter that now doesn't exist.
I think that it may help with responses if you could elaborate on this a bit…"found" how? Was this the result of an AV alert, an Event Log entry, etc.? Was it on a specific system?
If you could provide a bit more information, I think that there may be a way to help you with this…
Hey,
Kaspserky Endpoint Security found 3 files infected with the same Trojan. The directory it found them in was I/
However coming to the machine a day after the infections were found there is no I/ drive. No network or physical drive using this letter, therefore I'd like to check a log somewhere that says "The last time I/ was used was at 1156 on wednesday afternoon and it was a pen drive called BobMarley".
Cheers!
Ryan
You won't find a log like that.
What you can do is go to the MountedDevices key, and see what the data in the value named "\DosDevices\I" looks like.