Re: [sleuthkit-users] USB setupapi disk image
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-users] USB setupapi disk image
|
From: Sarah A. <sa...@ny...> - 2015-07-29 02:32:11
|
Thank you for the helpful information Kalin & Greg! I apologize, I had a bug in my ingest module that was causing the setupapi log to not be marked as a a TSK_INTERESTING_FILE_HIT. If anyone is interested, here are a couple of examples with setupapi logs: http://www.cfreds.nist.gov/Hacking_Case.html http://digitalcorpora.org/corp/nps/scenarios/2009-m57-patents/drives-redacted/jo-2009-12-11-002.E01 -Sarah On Tue, Jul 28, 2015 at 8:23 AM, Kalin KOZHUHAROV <me....@gm...> wrote: > > On Jul 29, 2015 12:03 AM, "Sarah Ash" <sa...@ny...> wrote: > > > > For my digital forensics course, I am developing an Autopsy Python > plugin that analyzes USB device history. I haven't yet located a sample > forensics disk image that contains a setupapi log. The setupapi log would > tell you when a USB device history was first installed. Any help locating a > disk image would be greatly appreciated! > > > Why not create one ? Just a fresh install is fine, plug some USB storage > devices and you are done. > > Since you will be focusing on file contents, AFAU, you can create a new > small filesystem and copy only the files your module operates on. > > Kalin. > |
