keydet89 wrote:
I wouldn't expect them to.
What is it that you're attempting to determine? Are you simply wondering why those keywords don't seem to appear anywhere else in the Registry, or was that search part of an attempt to determine something else?
Am looking for evidence of data files accessed on external media. So looking for anything not on C: and also not on S: which is a network share. E: - with Volume Label "UserName VPC" with VSN E09B-7A77 crops up frequently in LNK and JumpLists, I want to know what it is. In the RegRipper plugins I ran, the only place in Registry that this Volume Label appears is in EMDMGMT. David Cowan says here http://hackingexposedcomputerforensicsblog.blogspot.co.uk/2013/08/daily-blog-65-understanding-artifacts.html that EMDMGMT ".... can be very helpful when you are trying to understand why a device you know was accessed does not appear in the USBStor". So, as this device didn't appear in any of the "usual" locations where one would track USB history (see earlier list of RegRipper plugins), I ran registry-wide searches in keynames to see if it cropped up anywhere else that I wasn't accustomed to (it doesn't appear in this particular setupapi.dev.log, but it's not reliable as the first dated Boot Session after BootLog post-dates many other artefacts, and some USB dvices don't appear there either (although they do appear in the "usual" places in Registry).
I've now run a registry-wide search for "VPC" and the only other place it appears is under SOFTWARE\Microsoft\Windows Search\VolumeInfoCache:
E: and F:, both of which have values and data of:
DriveType 0x00000003 (3) and is REG_DWORD
VolumeLabel "UserName VPC" and is REG_SZ
FYI C: thru I: are listed under this key, all have same DriveType values, VolumeLabel for C: is System, D: is TestOS, G: thru I: are (value not set)
I don't know what to make of this, can't find much about volumeinfocache or what options there are for DriveTypes
keydet89 wrote:
I'm not clear on why you'd need their login...what are you trying to do? If the issue is determining what they did in any VMs they have installed in Virtual Box, just analyze them as you would any other image file...
Not sure what you mean here, my only previous attempts at looking at VMs have been trying to boot a VM using LiveView, which as far as I recall needs the user's logon password (which I never have).
HTH
↧