6
2
I originally came across this from a Citadel LLC complaint against a former employee. Text of complaint: http://www.scribd.com/doc/63606232/Citadel-vs-Yihao-Ben-Pu
From the filing:
"Forensic evidence has confirmed, however, that Pu also utilized a 500 gigabyte external hard drive (a Western Digital Elements 1023)"
How does one actually find out if a user connected an external hard drive?
Foo Bah
Posted 2011-09-02T01:24:40.873
Reputation: 221
5
On windows, its stored in the registry - usually HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR 
I'd also look at setupapi.log on %windir% for driver installs on systems older than windows 7 (its supposed to be %windir%\INF\setupapi.dev.log and %windir%\INF\setupapi.app.log , but the forensics classes i went to totally totally ignored this location, so i'm not totally familiar with this) - if a driver is there, and its device is not in the registry, you know that something is off.
I'd refer you to this article on antiforensics which i used to refresh my memory on where exactly it is.
Journeyman Geek
Posted 2011-09-02T01:24:40.873
Reputation: 119 122
is there a way to insert a usb device while bypassing this mechanism? – Foo Bah – 2011-09-02T02:23:16.113
@Foo Bah, not really. Windows needs to mount and load drivers to use the device. When it does this, it records information about the device so that it can load the device faster the next time. Remember, Windows is not an OS specifically designed for anonymous usage; it is meant for legitimate users who expect to reuse their devices on their systems. – Synetech – 2011-09-02T03:09:06.340
3
If a USB device is connected and is mounted in Windows it is recorded in the Windows registry.
You can use USBDeview to see any USB device ever connected to any PC you run it on. It pulls the information from the Windows Registry.
USBDeview is a small utility that lists all USB devices that currently connected to your computer, as well as all USB devices that you previously used.For each USB device, extended information is displayed: Device name/description, device type, serial number (for mass storage devices), the date/time that device was added, VendorID, ProductID, and more.
USBDeview also allows you to uninstall USB devices that you previously used, disconnect USB devices that are currently connected to your computer, as well as to disable and enable USB devices. You can also use USBDeview on a remote computer, as long as you login to that computer with admin user.
Only way around this is to manually remove all entries from the registry that refer to that specific device, along with other Windows locations mentioned by Journeyman Geek. USBDeview uninstall feature may not remove all traces of the device in the registry.
Moab
Posted 2011-09-02T01:24:40.873
Reputation: 54 203
that is a very nifty tool! – Foo Bah – 2011-09-02T03:19:44.287
what os? it would depend. – Journeyman Geek – 2011-09-02T01:32:36.060
@Journeyman Geek yes, its for windows :) – Foo Bah – 2011-09-02T02:23:42.180