![]() ![]() In short, when a USB device is connected to a Windows system, the Plug-and-Play (PnP) manager receives the notification and queries the device. Additional information regarding user-specific artifacts of USB devices will be covered in chapter “ Case Studies: User Hives” of this book. In short, the System hive maintains a great deal of information about the devices and when they were attached to the system. ![]() Research into this area has been going on for some time Cory Altheide and I published some of our joint research in this area in 2005, and some more recent analysis findings have been documented by Rob Lee on the SANS Forensic Blog (found online at ) on September 9, 2009. Harlan Carvey, in Windows Registry Forensics (Second Edition), 2016 USB DevicesĪnother item of interest to analysts will often be the devices (particularly USB devices) that had been attached to the system. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |