Question : How many non-VM USB devices were attached to the system?
How to find the above question? under what type?
In the left panel, under Results, you will find USB Devices Attached under the Extracted Content section. The source of the data is the Windows Registry System hive.
I couldn’t find it under result
You won’t see that Result until you run the Recent Activity ingest module. It you did so, then you likely had some kind of error.
Do you see Recent Activity reports in the Reports section of the left pane? If so, you can find the same information in the SYSTEM report.
EDIT: Issue was resolved by closing and reopening the case.
Same issue here. I see it in the Reports section. But I don’t see anything in the Results section other than browser-related activity.
This topic is also in this thread: Section 8 Recent Activity - missing USB devices
Summary:
- Linux issues can have issues running RegRipper
- Windows systems can have issues refreshing and the re-opening fixes it.
Me too. I ran the Recent activity ingest but only got the browser related results.
Hi Brian… another possible cause: I noticed that if you’re using the CERT forensic tools repo, regripper is not installed as a dependency of autopsy - I had to install it after I noticed it was missing.