0
I used FTK images to take image of the documents and registry files for a PC. I want to check for certain USB disk , when the last time it was used and when it was unplugged and activities during that time if possible . What is the right tool\method to do so ?
0
At my workplace we use a NIRSoft tool called USBDeview. With its command line arguments, we pull out the device name, VID/PID, install time & date of the driver, time of insertion, type of USB device (disk, external CD-ROM, 4G modem, etc.), vendor, volume GUID, volume name (eg. "F:\"), instance ID/serial #, and some other details.
We use this to trace whether malware was brought in on a non-company USB drive during an incident response, and could use it to enforce our company's USB policy.
armani
Posted 2015-04-08T15:57:45.083
Reputation: 576
Thanks ..I tried to use that tool . however it is giving me inconsistent results . i.e. i ran the program on the first pc to take the USB's serial ,then i ran it on the pc that i want to know when it was last used on it . And yet there was no match between the serials – None – 2015-04-08T18:30:10.847
This is more of a Windows OS question than an InfoSec question. Although you want to apply the answer to an InfoSec application, the question itself is an OS operational question. – schroeder – 2015-04-08T16:12:51.850