[Unknown]
Moderator:Moderators
-
SonyPortableizer
- Portablizer
- Posts:1325
- Joined:Sun Jun 01, 2008 6:49 pm
- Contact:
[Unknown]
Last edited by SonyPortableizer on Fri Nov 14, 2014 12:31 am, edited 1 time in total.
-
gamemasterAS
- Senior Member
- Posts:3309
- Joined:Thu Nov 24, 2005 10:30 pm
- Steam ID:lolz1337face
- Location:Ohio
- Contact:
-
SonyPortableizer
- Portablizer
- Posts:1325
- Joined:Sun Jun 01, 2008 6:49 pm
- Contact:
Re: Usb Drive Question
Well, check for recently added hardware to see if any drivers were installed. If it was a different device than one that you have ever used, it would have had a driver installed so the device could work.SonyPortableizer wrote:I own a PC
Is there a way to tell if someone has put in or used a usb drive on my computer?
EX. I leave my computer alone, someone pops in their USB Drive, saves a word document on my computer
I dont want answers like, well pay attention, use a password, etc.
Re: Usb Drive Question
Huhum! Why isn't this thread in the computer tech forum?
Anyway, here's how to do it.
Information about all drives that have ever been connected to the computer is available in this registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR (Start run > regedit)
However, this tells you nothing when the device was connected. To do that you need to check one of several registry keys or log files. Let's for example that you think the USB drive has never been connected to your computer before. If so, open C:\windows\setupapi.log (xp) or C:\windows\setupapi.dev.log (Vista)
Open it in for example notepad. The log file is written top to bottom so go ahead and press ctrl+end to go to the end of the file. Then press ctrl+F to summon the search box. Enter USBSTOR and choose direction: up. Click Find next and you'll hopefully see something like this:
Scroll up to the first line above the search result that doesn't begin with a #. That's the date when that device was first installed. The picture above shows when I installed a USB CD-ROM drive a month ago.
You're also supposed to be able to see the last time a certain device was connected, (as opposed to first) but I can't figure that out now. Hopefully this will get you started at least.
Or refer to this information sheet, if you're a bad enough dude: http://blogs.sans.org/computer-forensic ... -Guide.pdf" onclick="window.open(this.href);return false;
Anyway, here's how to do it.
Information about all drives that have ever been connected to the computer is available in this registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR (Start run > regedit)
However, this tells you nothing when the device was connected. To do that you need to check one of several registry keys or log files. Let's for example that you think the USB drive has never been connected to your computer before. If so, open C:\windows\setupapi.log (xp) or C:\windows\setupapi.dev.log (Vista)
Open it in for example notepad. The log file is written top to bottom so go ahead and press ctrl+end to go to the end of the file. Then press ctrl+F to summon the search box. Enter USBSTOR and choose direction: up. Click Find next and you'll hopefully see something like this:
Scroll up to the first line above the search result that doesn't begin with a #. That's the date when that device was first installed. The picture above shows when I installed a USB CD-ROM drive a month ago.
You're also supposed to be able to see the last time a certain device was connected, (as opposed to first) but I can't figure that out now. Hopefully this will get you started at least.
Or refer to this information sheet, if you're a bad enough dude: http://blogs.sans.org/computer-forensic ... -Guide.pdf" onclick="window.open(this.href);return false;
-
gamemasterAS
- Senior Member
- Posts:3309
- Joined:Thu Nov 24, 2005 10:30 pm
- Steam ID:lolz1337face
- Location:Ohio
- Contact:
Re: Usb Drive Question
Do you think they ran any programs from the flash drive? Lots that I have seen still leave some files.
.
-
SonyPortableizer
- Portablizer
- Posts:1325
- Joined:Sun Jun 01, 2008 6:49 pm
- Contact:
-
MasterPrime
- Posts:88
- Joined:Sun Feb 17, 2008 9:53 pm
Re: Usb Drive Question
there's nitro2k01's method. effective.
There's the event viewer:
right click my computer
select manage
click event viewer
if the document was opened before it was copied it should be in your recent documents folder.
you might try the temp folder as well. that's always fun.
If you know specifically which document, right click on the sorting bars in the folder, select More, and check the box next to Date Accessed.
that's all the easy stuff I know off the top of my head. If I come across something else that's cool I'll post it.
There's the event viewer:
right click my computer
select manage
click event viewer
if the document was opened before it was copied it should be in your recent documents folder.
you might try the temp folder as well. that's always fun.
If you know specifically which document, right click on the sorting bars in the folder, select More, and check the box next to Date Accessed.
that's all the easy stuff I know off the top of my head. If I come across something else that's cool I'll post it.
