Create an account Home  ·  Topics  ·  Downloads  ·  Your Account  ·  Submit News  ·  Top 10  
Modules
· Home
· Content
· FAQ
· Forensic Downloads
· Forensics Feedback
· Forums
· Members List
· Statistics
· Surveys
· Top 10
· Topics
· Training Reviews
· Web Links
· Your Account

Our Membership

Latest: Sergioramos
New Today: 0
New Yesterday: 3
Overall: 29353

Computer Forensics
This is a free and open peer to peer medium for digital and computer forensics professionals and students. Please help us maintain it by contributing and perhaps linking to us from your own website.

Recent Posts

 A question for students and newbies
 E-DISCOVERY & DATA RECOVERY? WHICH ONE IS BETTER?
 Computer Forensic in e-commerce
 Computer Forensic as component in Information Security
 Small Business - Do You Prepared?

Computer Forensics World Forums


Pages Served
We received
51198617
page views since August 2004

Security Sources

FTC
OnGuard Online
ISO 17799 ISO 27001
ISO 27000 Toolkit
ISO 27001 & 27000
Cryptography
Security Policies

Computer Forensics World: Forums

Computer Forensics World :: View topic - Newbie USB question
 Forum FAQForum FAQ   SearchSearch   UsergroupsUsergroups   ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 

Newbie USB question

 
Post new topic   Reply to topic    Computer Forensics World Forum Index -> Technical Issues: Peripherals
View previous topic :: View next topic  
Author Message
raygun
Newbie
Newbie


Joined: Aug 17, 2009
Posts: 1

PostPosted: Tue Aug 18, 2009 12:24 am    Post subject: Newbie USB question Reply with quote

Iím very new to all of this but is there any way that the residue left by a usb device could include actual file names of what was on the usb drive Ė even if the files werenít opened or transferred Ė or is this a step too far?

Iíve found when and what unauthorised usb device was connected to a computer but I donít know who it belongs to from this information. Being able to tell what files were on it would obviously be a help.

Is there any software that could monitor more than just serial no., date first connected etc...?
Back to top
View user's profile
cybercop
Newbie
Newbie


Joined: Nov 01, 2005
Posts: 551
Location: Marion, Indiana, USA

PostPosted: Tue Aug 18, 2009 2:36 am    Post subject: Reply with quote

No there isn't a way to tell what was on it. However, you should be able to tell WHEN it was plugged in, and then be able to tell who was logged in at the time.
Back to top
View user's profile
athulin
Newbie
Newbie


Joined: Oct 19, 2007
Posts: 238

PostPosted: Tue Aug 18, 2009 4:13 pm    Post subject: Re: Newbie USB question Reply with quote

raygun wrote:
Iím very new to all of this but is there any way that the residue left by a usb device could include actual file names of what was on the usb drive Ė even if the files werenít opened or transferred Ė or is this a step too far?


'residue left by an usb device'? USB devices don't leave such residues. In special cases, autostarting contents on mass-storage devices, such as can be found on u3 devices, may leave traces, but in that case it's really a question of the software on the device, not the device itself.

And moderately aggressive AV programs may decide that a newly connected mass-storage device needs scanning, and possibly leave traces of contents in logs (for instance, when it takes too long time to scan a compressed file). And if the devce is connected when a scheduled weekly full scan takes place (say), there may be even more information in the logs.

So, yes, there may be traces in general. Whether you can find any in your particular case is anybody's guess.

If you can set up a duplicated environment, you could try to attach a similar USB device (possibly specially prepared), and see if that left any traces on the computer: if not, you are unlikely to find any similar traces in the actual case.
Back to top
View user's profile
xaberx
Newbie
Newbie


Joined: Apr 15, 2008
Posts: 15

PostPosted: Thu Nov 19, 2009 3:00 am    Post subject: Re: Newbie USB question Reply with quote

athulin wrote:

'residue left by an usb device'? USB devices don't leave such residues.


I disagree, in the registry under USBStor several bits of information may prove useful to a case especially in cases of CP where the suspect may be using external media to hide/store the data.
Code:

HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Enum\ USBSTOR

The system does keep track of usb based storage devices, it also can provide information such as model and make etc, I have a friend who created a tool to automatically view these entries and i'm pretty confident he found a date and time entry as well, I will have to look further into that however

I found a website that also shows this information (its an Anti-Forensics site)
anti-forensics.com/delete-usb-device-history-from-the-windows-registry-usbstor-key-and-the-setupapilog
Back to top
View user's profile
cybercop
Newbie
Newbie


Joined: Nov 01, 2005
Posts: 551
Location: Marion, Indiana, USA

PostPosted: Thu Nov 19, 2009 8:31 am    Post subject: Reply with quote

None of that will give him the info he was looking for, since he wants it to automagically know what was on the usb drive whether files were opened on it or not. The information he actually wants ISN'T recorded.
Back to top
View user's profile
xaberx
Newbie
Newbie


Joined: Apr 15, 2008
Posts: 15

PostPosted: Thu Nov 19, 2009 10:05 am    Post subject: true Reply with quote

The only thing I could think of was to compare the information in the USB store to track back to the actual drive. Its too bad bill doesn't give us more information under the usbstore for a directory structure. Perhaps you could try the Recent directory of each user to see if there is any links to external media and analyze the links.
Back to top
View user's profile
Display posts from previous:   
Post new topic   Reply to topic    Computer Forensics World Forum Index -> Technical Issues: Peripherals All times are GMT + 10 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

Powered by phpBB 2.0.10 © 2001 phpBB Group
phpBB port v2.1 based on Tom Nitzschner's phpbb2.0.6 upgraded to phpBB 2.0.4 standalone was developed and tested by:
ArtificialIntel, ChatServ, mikem,
sixonetonoffun and Paul Laudanski (aka Zhen-Xjell).

Version 2.1 by Nuke Cops © 2003 http://www.nukecops.com

Forums ©

 

TMs property of their respective owner. Comments property of posters. © 2007 Computer Forensics Science World.
Digital forensic computing news syndication: Computer Forensics Training News or UM Text
Software is copyrighted phpnuke.org (c)2003, and is free under licence agreement. All Rights Are Reserved.