Forensics - USB drives
Windows Forensics and Incident Recovery
http://www.networksecurityarchive.org/html/Computer-Forensics/2005-02/msg00001.html
1. When you connect a USB storage device to a Windows system
(2K, XP, 2K3), Registry keys are created. If they don't
already exist, the HKLM\System\CurrentControlSet\Enum\USBStor
key is created. Beneath that key, a subkey containing the
vendor name is created, and beneath the "vendor key", a key
with a unique name is created for each device (I'll call this
the "unique key"). On a test XP system, it looks like this:
HKLM\System\CurrentControlSet\Enum\USBStor
\Disk&Ven_LEXAR&Prod_DIGITAL_FILM&Rev_/W1.
\7&276114a5&0&______________040719030000008093F300000000000&0
http://www.networksecurityarchive.org/html/Computer-Forensics/2005-02/msg00001.html
1. When you connect a USB storage device to a Windows system
(2K, XP, 2K3), Registry keys are created. If they don't
already exist, the HKLM\System\CurrentControlSet\Enum\USBStor
key is created. Beneath that key, a subkey containing the
vendor name is created, and beneath the "vendor key", a key
with a unique name is created for each device (I'll call this
the "unique key"). On a test XP system, it looks like this:
HKLM\System\CurrentControlSet\Enum\USBStor
\Disk&Ven_LEXAR&Prod_DIGITAL_FILM&Rev_/W1.
\7&276114a5&0&______________040719030000008093F300000000000&0
posted by Keith Salustro at 5:21 AM
0 Comments:
Post a Comment
<< Home