Hi every one,
I an facing a situation and like to know , had anyone faced this in past.
I was examining a Forensic Image , requirement was to identify the list of USB devices mainly storage devices like thumb-drives external HDD etc used in the suspected pc and how many times (date and time) they have been connected to this pc.
By doing registry analysis using different tools (including Autopsy) I was able to pull the list of usb devices used in the PC.
Now to answer 2nd query to get the count of how many times these usb have been connected I ran a index keyword search for the USB Serial Numbers extracted above, to my surprise I got over 40 hits of different date and time for one USB serial no. from event logs Location for this log was \Windows\System32\winevt\Logs\Microsoft-Windows-Partition%4Diagnostic.evtx\Microsoft-Windows-Partition/Diagnostic
By reading the event details I can see that it says the devices was plugged in and this I have verified by FTK, Encase as well as autopsy.
Now my query is , is this discovery of usb plugin events has been seen by any one else in this forum, if not can anyone confirm by running a test on it.
If it is a legitimate artifact then can the current autopsy plugin to extract USB details be upgraded to parse these event files and include the results.
Thank you.