Scribd Logo
Unggah

Selamat datang di Scribd!

  • Usb Device Forensics XP Guide

    Diunggah oleh

    nic2008
    43 tayangan5 halaman
    USB device forensics xp guide

    Judul Asli

    Usb Device Forensics Xp Guide

    Hak Cipta

    © Attribution Non-Commercial (BY-NC)

    Format Tersedia

    PDF, TXT atau baca online dari Scribd

    Apakah menurut Anda dokumen ini bermanfaat?

    Apakah konten ini tidak pantas?

    Laporkan Dokumen Ini
    USB device forensics xp guide

    Hak Cipta:

    Attribution Non-Commercial (BY-NC)
    Unduh sebagai PDF, TXT atau baca online dari Scribd
    Tandai sebagai konten tidak pantas
    43 tayangan5 halaman

    Usb Device Forensics XP Guide

    Diunggah oleh

    nic2008
    USB device forensics xp guide

    Hak Cipta:

    Attribution Non-Commercial (BY-NC)
    Unduh sebagai PDF, TXT atau baca online dari Scribd
    Tandai sebagai konten tidak pantas
    dari 5

    How to Approach USB Key Forensics on XP

    1. Write Down Vendor, Product, Version


    SYSTEM\CurrentControlSet\Enum\USBSTOR

    2. Write Down Serial Number


    SYSTEM\CurrentControlSet\Enum\USBSTOR

    3. Determine Parent Prefix ID


    SYSTEM\CurrentControlSet\Enum\USBSTOR

    4. Determine Drive Letter Device Mapped To


    SYSTEM\MountedDevices

    Perform search for Parent Prefix ID

    5. Write Down Volume GUIDs


    SYSTEM\MountedDevices

    Perform Search for Parent Prefix ID

    6. Find User That Used The Specific USB Device


    NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2

    Search for Device GUID

    7. 7 Determine Last Time Device Connected


    SYSTEM\CurrentControlSet\Control\DeviceClasses\{53f56307-b6bf-11d0-94f2-00a0c91efb8b}

    Perform search for S/N

    C:\Windows\setupapi.log

    8. Discover First Time Device Connected

    Perform search for Serial Number

    http://forensics.sans.org

    http://twitter.com/sansforensics

    ProfileXPUSBDevices
    USBDEVICE1
    1.WriteDownVendor,Product,Version SYSTEM\CurrentControlSet\Enum\USBSTOR 2.WriteDownSerialNumbers SYSTEM\CurrentControlSet\Enum\USBSTOR 3.DetermineParentPrefixID SYSTEM\CurrentControlSet\Enum\USBSTOR 4.DetermineDriveLetterDeviceMappedTo SYSTEM\MountedDevices-> Performsearchfor ParentPrefixID 5.WriteDownVolumeGUIDs SYSTEM\MountedDevices-> PerformSearchfor ParentPrefixID 6.FindUserThatUsedTheSpecificUSBDevice NTUSER.DAT\Software\Microsoft\Windows\ CurrentVersion\Explorer\MountPoints2-> SearchforDeviceGUID 7.DetermineLastTimeDeviceConnected SYSTEM\CurrentControlSet\Control\Devic eClasses\{53f56307-b6bf-11d0-94f200a0c91efb8b}-> PerformsearchforS/N 8.DiscoverFirstTimeDeviceConnected C:\Windows\setupapi.log >Performsearch forSerialNumber


    USBDEVICE2
    1.WriteDownVendor,Product,Version SYSTEM\CurrentControlSet\Enum\USBSTOR 2.WriteDownSerialNumbers SYSTEM\CurrentControlSet\Enum\USBSTOR 3.DetermineParentPrefixID SYSTEM\CurrentControlSet\Enum\USBSTOR 4.DetermineDriveLetterDeviceMappedTo SYSTEM\MountedDevices-> Performsearchfor ParentPrefixID 5.WriteDownVolumeGUIDs SYSTEM\MountedDevices-> PerformSearchfor ParentPrefixID 6.FindUserThatUsedTheSpecificUSBDevice NTUSER.DAT\Software\Microsoft\Windows\ CurrentVersion\Explorer\MountPoints2-> SearchforDeviceGUID 7.DetermineLastTimeDeviceConnected SYSTEM\CurrentControlSet\Control\Devic eClasses\{53f56307-b6bf-11d0-94f200a0c91efb8b}-> PerformsearchforS/N 8.DiscoverFirstTimeDeviceConnected C:\Windows\setupapi.log >Performsearch forSerialNumber


    USBDEVICE3
    1.WriteDownVendor,Product,Version SYSTEM\CurrentControlSet\Enum\USBSTOR 2.WriteDownSerialNumbers SYSTEM\CurrentControlSet\Enum\USBSTOR 3.DetermineParentPrefixID SYSTEM\CurrentControlSet\Enum\USBSTOR 4.DetermineDriveLetterDeviceMappedTo SYSTEM\MountedDevices-> Performsearchfor ParentPrefixID 5.WriteDownVolumeGUIDs SYSTEM\MountedDevices-> PerformSearchfor ParentPrefixID 6.FindUserThatUsedTheSpecificUSBDevice NTUSER.DAT\Software\Microsoft\Windows\ CurrentVersion\Explorer\MountPoints2-> SearchforDeviceGUID 7.DetermineLastTimeDeviceConnected SYSTEM\CurrentControlSet\Control\Devic eClasses\{53f56307-b6bf-11d0-94f200a0c91efb8b}-> PerformsearchforS/N 8.DiscoverFirstTimeDeviceConnected C:\Windows\setupapi.log >Performsearch forSerialNumber


    USBDEVICE4
    1.WriteDownVendor,Product,Version SYSTEM\CurrentControlSet\Enum\USBSTOR 2.WriteDownSerialNumbers SYSTEM\CurrentControlSet\Enum\USBSTOR 3.DetermineParentPrefixID SYSTEM\CurrentControlSet\Enum\USBSTOR 4.DetermineDriveLetterDeviceMappedTo SYSTEM\MountedDevices-> Performsearchfor ParentPrefixID 5.WriteDownVolumeGUIDs SYSTEM\MountedDevices-> PerformSearchfor ParentPrefixID 6.FindUserThatUsedTheSpecificUSBDevice NTUSER.DAT\Software\Microsoft\Windows\ CurrentVersion\Explorer\MountPoints2-> SearchforDeviceGUID 7.DetermineLastTimeDeviceConnected SYSTEM\CurrentControlSet\Control\Devic eClasses\{53f56307-b6bf-11d0-94f200a0c91efb8b}-> PerformsearchforS/N 8.DiscoverFirstTimeDeviceConnected C:\Windows\setupapi.log >Performsearch forSerialNumber

    Anda mungkin juga menyukai