Create an account Home  ·  Topics  ·  Downloads  ·  Your Account  ·  Submit News  ·  Top 10  
Modules
· Home
· Content
· FAQ
· Forensic Downloads
· Forensics Feedback
· Forums
· Members List
· Statistics
· Surveys
· Top 10
· Topics
· Training Reviews
· Web Links
· Your Account

Our Membership

Latest: cradom
New Today: 0
New Yesterday: 1
Overall: 29283

Computer Forensics
This is a free and open peer to peer medium for digital and computer forensics professionals and students. Please help us maintain it by contributing and perhaps linking to us from your own website.

Recent Posts

 Final Year Project
 Android devices with PIN screen lock and without USBdebb. on
 Can file creation and modifications on pendrives be found?
 Viewing real MAC times of a timestomped file
 software that can view files in Volume Slack

Computer Forensics World Forums


Pages Served
We received
49924967
page views since August 2004

Security Sources

FTC
OnGuard Online
ISO 17799 ISO 27001
ISO 27000 Toolkit
ISO 27001 & 27000
Cryptography
Security Policies

Computer Forensics World: Forums

Computer Forensics World :: View topic - USB Insertion Dates
 Forum FAQForum FAQ   SearchSearch   UsergroupsUsergroups   ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 

USB Insertion Dates

 
Post new topic   Reply to topic    Computer Forensics World Forum Index -> Technical Issues: Peripherals
View previous topic :: View next topic  
Author Message
martim07
Newbie
Newbie


Joined: Oct 23, 2013
Posts: 3

PostPosted: Thu Oct 24, 2013 8:56 am    Post subject: USB Insertion Dates Reply with quote

Hi,

I am analyzing a hard drive from a Dell desktop w/Windows 7 for all USB device insertion times.

I am encountering a strange issue for a few of the devices. The created date I get from analyzing the setupapi.dev.log file is later than the last plugged/unplugged date I get from analyzing the NTUSER//Software/Microsoft/Windows/CurrentVersion/Exporer/MountPoints2/{GUID} file.

In each case, the last plugged/unplugged date is just about 13 hours earlier than the created date. This is only occurring for 5 out of 18 devices analyzed.

Any information would be appreciated!

Thanks
Back to top
View user's profile
PreferredUser
Newbie
Newbie


Joined: Jan 01, 2007
Posts: 1130
Location: USA

PostPosted: Thu Oct 24, 2013 10:56 am    Post subject: Reply with quote

How many users on the system?
Back to top
View user's profile
martim07
Newbie
Newbie


Joined: Oct 23, 2013
Posts: 3

PostPosted: Thu Oct 24, 2013 12:46 pm    Post subject: Reply with quote

There are several; I am using the ntuser.dat file for a specific user.

Thanks
Back to top
View user's profile
PreferredUser
Newbie
Newbie


Joined: Jan 01, 2007
Posts: 1130
Location: USA

PostPosted: Thu Oct 24, 2013 12:58 pm    Post subject: Reply with quote

Yes, however you are comparing an artifact for a single user to an artifact of the computer or all users of the computer. If the drive was inserted by a different user, the time in setupapi.dev.log will be different than the time in the Registry.

Have you seen the following?
w w w . windowsecurity . com / articles-tutorials / authentication_and_encryption / Extracting-USB-Artifacts-from-Windows-7 . html
Back to top
View user's profile
martim07
Newbie
Newbie


Joined: Oct 23, 2013
Posts: 3

PostPosted: Thu Oct 24, 2013 1:25 pm    Post subject: Reply with quote

This helps, thanks.
Back to top
View user's profile
SanjayChouhan
Newbie
Newbie


Joined: Mar 29, 2016
Posts: 1

PostPosted: Tue Mar 29, 2016 4:28 pm    Post subject: Funny Insertion Date Issue Reply with quote

Guys, I am in the process of analysing a computer and have found a funny issue in the data in the USBSTOR key. Am reproducing the relevant keys below. The setupapi.dev.log and the rest of the registry is not available (so I cannot check out the users etc.).

goo .gl/photos/BNV8dBUiK8s4cW5LA[

Will be grateful if someone could explain this discrepancy. Regards


[Edited By Admin: No Direct Links Please]
Back to top
View user's profile
Display posts from previous:   
Post new topic   Reply to topic    Computer Forensics World Forum Index -> Technical Issues: Peripherals All times are GMT + 10 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

Powered by phpBB 2.0.10 © 2001 phpBB Group
phpBB port v2.1 based on Tom Nitzschner's phpbb2.0.6 upgraded to phpBB 2.0.4 standalone was developed and tested by:
ArtificialIntel, ChatServ, mikem,
sixonetonoffun and Paul Laudanski (aka Zhen-Xjell).

Version 2.1 by Nuke Cops 2003 http://www.nukecops.com

Forums ©

 

TMs property of their respective owner. Comments property of posters. 2007 Computer Forensics Science World.
Digital forensic computing news syndication: Computer Forensics Training News or UM Text
Software is copyrighted phpnuke.org (c)2003, and is free under licence agreement. All Rights Are Reserved.