keydet89 wrote:
I found this:
https://blogs.sans.org/computer-forensics/files/2009/08/usb_device_forensics_vista_win7_guide.pdf
Note that it has only 7 steps.
Bearing in mind internal metadata and also the URLs of those two documents (one refers to Aug 09, the other to Sep 09), which one would you suggest a relative rookie could/should use as a template?
keydet89 wrote:
This is actually a pretty common occurrence. I saw that someone suggested looking for an update, and I saw your responses. I would suggest that rather than looking just in the Windows Event Logs, craft a full timeline (include EVTX records AND file system metadata), and I think you'll likely see file creations/modifications.
For the last connected times, did you look at the subkeys under the DeviceClasses keys, and get the LastWrite times? Yes am aware of the DeviceClasses keys and relevance, was just wondering what caused the simultaneous timestamps I referred to earlier.
Maybe I've misunderstood your response about file system metadata. I have the metadata I need for JumpLists et al, if you mean metadata from what in XP would have been Windows Update logs (filename starting KB, exact location I can't recall and don't have accesss to an XP system at the moment) - I haven't found equivalents of these in Win7 and would be happy to receive any assistance <img src="images/smiles/icon_smile.gif" alt="Smile" title="Smile" />
Some of this is a diversion from my original challenge (identify external media used and any files accessed on it), as the DeviceClasses keys provide an alternative option and EMDMGNT thankfully provides a link to the Volume Serial Numbers which various parsers pull from JumpLists and LNKs. Job is done, I just wanted to understand the concurrent timestamps in USB and also now would like to know the location of any Windows updates support files which relate to the WindowsUpdateClient details in System log.
Cheers
↧