Create an account Home  ·  Topics  ·  Downloads  ·  Your Account  ·  Submit News  ·  Top 10  
Modules
· Home
· Content
· FAQ
· Forensic Downloads
· Forensics Feedback
· Forums
· Members List
· Statistics
· Surveys
· Top 10
· Topics
· Training Reviews
· Web Links
· Your Account

Our Membership

Latest: johan_chen_2000
New Today: 2
New Yesterday: 2
Overall: 29413

Computer Forensics
This is a free and open peer to peer medium for digital and computer forensics professionals and students. Please help us maintain it by contributing and perhaps linking to us from your own website.

Recent Posts

 Hostile work enviornment
 Can anyone suggest me a topic under printers forensics
 Unallocated clustered as court evidence
 Encryption
 I know how to recover ost file 2016

Computer Forensics World Forums


Pages Served
We received
52921398
page views since August 2004

Security Sources

FTC
OnGuard Online
ISO 17799 ISO 27001
ISO 27000 Toolkit
ISO 27001 & 27000
Cryptography
Security Policies

Computer Forensics World: Forums

Computer Forensics World :: View topic - How to track USB activity in the registry?
 Forum FAQForum FAQ   SearchSearch   UsergroupsUsergroups   ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 

How to track USB activity in the registry?

 
Post new topic   Reply to topic    Computer Forensics World Forum Index -> Technical Issues
View previous topic :: View next topic  
Author Message
daigon
Newbie
Newbie


Joined: Aug 18, 2013
Posts: 1

PostPosted: Sun Aug 18, 2013 8:40 pm    Post subject: How to track USB activity in the registry? Reply with quote

I have to analize an hard disk with Win7 installed. I have the hard disk but I haven't the HW where this disk was installed, so I cannot start the the OS and I cannot modify the source too.
In this scenario ...

1) How I can export the registry and how I can check if an USB device has been connected to this operating system?

I tryed to use Linux live CDs (HELIX and DEFT) but i didnt find the solution

Besides the USB device hasn't a serial number because it uses an identifier generated by the system itself (the second character of the ID is '&') so I also would like to know if:
2) this number change every time the USB device is connected to the OS?
3) is this number the same everytime I connect this USB device at a different OS?

Thank You
Back to top
View user's profile
PreferredUser
Newbie
Newbie


Joined: Jan 01, 2007
Posts: 1130
Location: USA

PostPosted: Sun Aug 18, 2013 11:14 pm    Post subject: Re: How to track USB activity in the registry? Reply with quote

daigon wrote:
I have to analize an hard disk with Win7 installed. I have the hard disk but I haven't the HW where this disk was installed, so I cannot start the the OS and I cannot modify the source too.
In this scenario ...

1) How I can export the registry and how I can check if an USB device has been connected to this operating system?

I tryed to use Linux live CDs (HELIX and DEFT) but i didnt find the solution
Why would you need to start the OS to look at the Registry? In your training did you not cover dead box operating system analysis? The Registry is not one file, but a set of files that represent the hives of the Registry. And each file that makes up the Registry hive contains a key that serves as the root of the tree under which are subkeys and their values.

The only Registry hive (and corresponding keys and subkeys) that is not present as a file in dead box analysis is CurrentUser which is only present when the computer is running.

Are you having issues with the Registry files or with the tools?

Looking at the DEFT package list (h t t p :// www . deftlinux . net/about/packets-list/) there appear to be several Registry analysis tools, which one are you using? And what issues are you having with trying to analyze the Registry?

daigon wrote:
Besides the USB device hasn't a serial number because it uses an identifier generated by the system itself (the second character of the ID is '&') so I also would like to know if:
2) this number change every time the USB device is connected to the OS?
3) is this number the same everytime I connect this USB device at a different OS?

Thank You
As you noted, not every USB device has a serial number and in your case the ampersand denotes a generated ID key. This unique instance ID key is generated by the system itself (it is purported this ID is based on additional information retrieved from the device descriptor, the USB port the device was plugged into, etc.), however Microsoft has not published any definitive information on how this ID is generated.

In regard to your questions 2 & 3, the answers are perhaps and most likely.

I would recommend looking at the SANS article: Computer Forensic Guide To Profiling USB Device Thumbdrives on Win7, Vista, and XP and Harlan Carvey's WindowsIR blog post: HowTo: USB Thumb Drives.

BTW Carvey is the creator of RegRipper which is one of the tools on DEFT.
Back to top
View user's profile
Display posts from previous:   
Post new topic   Reply to topic    Computer Forensics World Forum Index -> Technical Issues All times are GMT + 10 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

Powered by phpBB 2.0.10 © 2001 phpBB Group
phpBB port v2.1 based on Tom Nitzschner's phpbb2.0.6 upgraded to phpBB 2.0.4 standalone was developed and tested by:
ArtificialIntel, ChatServ, mikem,
sixonetonoffun and Paul Laudanski (aka Zhen-Xjell).

Version 2.1 by Nuke Cops 2003 http://www.nukecops.com

Forums ©

 

TMs property of their respective owner. Comments property of posters. 2007 Computer Forensics Science World.
Digital forensic computing news syndication: Computer Forensics Training News or UM Text
Software is copyrighted phpnuke.org (c)2003, and is free under licence agreement. All Rights Are Reserved.