Jump to content

Forensics: USB


tyanque

Recommended Posts

jaclaz

Jul 4 2006, 01:23 PM

You can scan the registry.

All devices connected once should have an entry.

They should be in:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USB

but check also in

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\USB

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\USB

Mass storage devices will have additional entries in

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR

jaclaz - http://www.msfn.org/board/lofiversion/inde...gen/t77698.html

Link to comment
Share on other sites

random psycho babble

* not sure but something about flash media over say 8gigs is 'different' maybe <8 is flash and >8 is 'removal disk' I just have had issues with boot/etc with larger flash drives

* as far as USB forensics for windows I use HandyRecovery.exe GetDataBack for NTFS portable.exe GetDataBack for FAT portable.exe (PhotoRec - CGSecurity)

* also look into dd_rhelp but normally flash works or does not so its more a matter of what tools to aim at it then reading from it with IDE/SATA you can buy PCI cards that can read at a lower level

* for more info pop it in a *nix box and google the device is picksup

to answer your Q: lookinto WMI you can monitor and query event logs etc anything ... you could

http://www.google.com/search?q=GPO+%22usb+flash%22

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...