Recovering evidence that has been removed from a target machine is tough enough, but then you have to figure out how that evidence was removed and when. Suspects are increasingly removing hard drives from machines or simply dragging and dropping incriminating evidence to thumb drives, cameras, mp3 players or other USB gadgets. The good news is that they digital footprints are often left behind when they plug these devices into the system, and the artifacts that can be recovered often lead to insights about the suspect’s behavior or recovery of the removed data itself.
One of the most popular EnScripts/apps on EnCase App Central addresses this challenge by automating the Window’s Registry examination by locating and reporting on the artifacts that are created when an entry is made in different hives in the registry. For example, when a USB storage device is inserted into a machine, a key is created in the Windows Registry, and everything the operating system needs to know about that storage device is contained in that key. The Registry was first introduced with Windows 95 and has been incorporated into many Microsoft operating systems since. Within the Windows operating system is a list of all the USB devices that have been connected to the system in the past. Information includes the device description, its type (printer, camera, disk drive, etc), whether it was connected via a USB hub, its drive letter, and the device's serial number. All of these information types can be identified under the right conditions.
The free SEEB USB-Mounted Devices app written by Brian Jones creates several detailed reports shown below on USB devices that have been inserted into the target machine, as well as any mounted and portable devices whose data is contained in the Windows Registry and setupapi logs. Corresponding reports generated by the app can be created as formatted Excel spreadsheets, comma-delimited files with headings, Bookmarks reports or as a tab-delimited console report. It also parses new registry values found in Windows Vista 7 and 8. A "Mapped Devices" report as shown below is also included, and this collates all the important information about each USB device and places the information in one report.
No comments :
Post a Comment