Remerciez-le!

Remerciez @Admin pour avoir partagé cet document gratuitement, de la manière la plus simple, en partageant sur les réseaux sociaux.

http://forensics.sans.org Profile Windows XP USB Keys/Thumbdrives XP USB KEY/Th

http://forensics.sans.org Profile Windows XP USB Keys/Thumbdrives XP USB KEY/Thumbdrive 1. Write Down Vendor, Product, Version SYSTEM\CurrentControlSet\Enum\USBSTOR Vendor = Product = Version = 2. Write Down Serial Numbers SYSTEM\CurrentControlSet\Enum\USBSTOR Serial Number = 3. Determine Parent Prefix ID SYSTEM\CurrentControlSet\Enum\USBSTOR Parent Prefix ID= 4. Determine Vendor‐ID (VID) and Product‐(PID) SYSTEM\CurrentControlSet\Enum\USB -> Perform search for S/N VID_XXXX = PID_YYYY = 5. Determine Drive Letter Device Mapped To SYSTEM\MountedDevices-> Perform search for Parent Prefix ID in the Drive Letter Drive = 6. Write Down Volume GUIDs SYSTEM\MountedDevices-> Perform Search for Parent Prefix ID in the GUIDs {GUID} = 7. Find User That Used The Specific USB Device NTUSER.DAT\Software\Microsoft\Windows\ CurrentVersion\Explorer\MountPoints2-> Search for Device GUID User = 8. Discover First Time Device Connected C:\Windows\setupapi.log ‐> Perform search for Serial Number Time/Timezone = 9. Determine First Time Device Connected After Last Reboot SYSTEM\CurrentControlSet\Control\Devic eClasses\{53f56307-b6bf-11d0-94f2- 00a0c91efb8b}-> Perform search for S/N or SYSTEM\CurrentControlSet\Enum\USB\ VID_XXXX&PID_YYYY -> Perform search for Serial Number (Last Written Time of Serial Number Key) Time/Timezone = 10. Determine Last Time Device Connected NTUSER//Software/Microsoft/Windows/Cur rentVersion/Explorer/MountPoints2/{GUI D} -> Perform search for Device {GUID} Time/Timezone = http://twitter.com/sansforensics http://forensics.sans.org Profile VISTA USB Key/Thumbdrives http://twitter.com/sansforensics VISTA USB KEY/Thumbdrive 1. Write Down Vendor, Product, Version SYSTEM\CurrentControlSet\Enum\USBSTOR Vendor = Product = Version = 2. Write Down Serial Numbers SYSTEM\CurrentControlSet\Enum\USBSTOR Serial Number = 3. Determine Vendor‐ID (VID) and Product‐(PID) SYSTEM\CurrentControlSet\Enum\USB -> Perform search for S/N VID_XXXX = PID_YYYY = 4. Write Down Volume GUIDs SYSTEM\MountedDevices-> Perform Search for Serial Number GUID = 5. Determine Drive Letter and Volume Name Device Mapped To SOFTWARE\Microsoft\Windows Portable Devices\Devices-> Perform Search for Serial Number and Match with Volume Name Drive Letter = Volume Name= 6. Find User That Used The Specific USB Device NTUSER.DAT\Software\Microsoft\Windows\C urrentVersion\Explorer\MountPoints2-> Search for Device GUID User = 7. Discover First Time Device Connected C:\Windows\inf\setupapi.dev.log ‐> Perform search for Serial Number Time/Timezone = 8. Determine First Time Device Connected After Last Reboot SYSTEM\CurrentControlSet\Enum\USBSTOR\ Vendor_Product_Version -> Perform search for Serial Number (Last Written Time of Serial Number Key) or SYSTEM\CurrentControlSet\Control\Device Classes\{53f56307-b6bf-11d0-94f2- 00a0c91efb8b}-> Perform search for S/N (Last Written Time of Key that has Serial Number and Vendor/Product/Revision) Time/Timezone = 9. Determine Last Time Device Connected SYSTEM\CurrentControlSet\Enum\USB\ VID_XXXX&PID_YYYY -> Perform search for Serial Number (Last Written Time of Serial Number Key) or NTUSER//Software/Microsoft/Windows/Curr entVersion/Explorer/MountPoints2/{GUID} -> Perform search for Device {GUID} Time/Timezone = http://forensics.sans.org Profile Windows 7 USB Keys/Thumbdrives http://twitter.com/sansforensics Win7 USB Key/Thumbdrive 1. Write Down Vendor, Product, Version SYSTEM\CurrentControlSet\Enum\USBSTOR Vendor = Product = Version = 2. Write Down Serial Numbers SYSTEM\CurrentControlSet\Enum\USBSTOR Serial Number = 3. Determine Vendor‐ID (VID) and Product‐(PID) SYSTEM\CurrentControlSet\Enum\USB -> Perform search for S/N VID_XXXX = PID_YYYY = 4. Determine Drive Letter Device Mapped To SYSTEM\MountedDevices-> Perform search for Serial Number in the Drive Letters Drive = 5. Write Down Volume GUIDs SYSTEM\MountedDevices-> Perform Search for Serial Number in the GUIDs GUID = 6. Find User That Used The Specific USB Device NTUSER.DAT\Software\Microsoft\Windows\C urrentVersion\Explorer\MountPoints2-> Search for Device GUID User = 7. Discover First Time Device Connected C:\Windows\inf\setupapi.dev.log ‐> Perform search for Serial Number Time/Timezone = 8. Determine First Time Device Connected After Last Reboot SYSTEM\CurrentControlSet\Enum\USBSTOR\ Vendor_Product_Version -> Perform search for Serial Number (Last Written Time of Serial Number Key) or SYSTEM\CurrentControlSet\Control\Device Classes\{53f56307-b6bf-11d0-94f2- 00a0c91efb8b}-> Perform search for S/N (Last Written Time of Key that has Serial Number and Vendor/Product/Revision) Time/Timezone = 9. Determine Last Time Device Connected SYSTEM\CurrentControlSet\Enum\USB\ VID_XXXX&PID_YYYY -> Perform search for Serial Number (Last Written Time of Serial Number Key) or NTUSER//Software/Microsoft/Windows/Curr entVersion/Explorer/MountPoints2/{GUID} -> Perform search for Device {GUID} Time/Timezone = http://forensics.sans.org http://twitter.com/sansforensics uploads/Litterature/ profile-windows-xp-usb-keys-thumbdrives.pdf