computer forensics
May 12, 2008, 02:34:27 AM *
Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
News: Welcome to the new ForensicExams.org Computer Forensics Forum.
 
   Forum   Help Search Calendar Login Register  
Pages: [1]
« previous next »
  Print  
Author Topic: Windows XP autoplay help  (Read 1354 times)
0 Members and 1 Guest are viewing this topic.
Christian Powers
Newbie
*
Posts: 6


View Profile
« on: August 29, 2007, 01:00:52 PM »
Currently working an investigation that is related to external media (usb devices cdroms etc). I have two questions if i might. First when autoplay scans the filesystem on the media and you can see all the file names and folder names, is this information being logged anywhere within the O/S?
Second question: Does the windows indexing service that can be used to speed up searches for files within windows also index external media if it is plugged in log enough? If so, where is that index located and has anyone had any experience with it?

Christian....
Logged
keydet89
Newbie
*
Posts: 5


carvdawg keydet89
View Profile WWW Email
« Reply #1 on: January 19, 2008, 01:30:03 PM »
Quote from: Christian Powers on August 29, 2007, 01:00:52 PM
Currently working an investigation that is related to external media (usb devices cdroms etc). I have two questions if i might. First when autoplay scans the filesystem on the media and you can see all the file names and folder names, is this information being logged anywhere within the O/S?

Not that I'm aware of, no...but it would be an interesting experiment.  Take a device with files, and before you plug it in, snapshot the Registry.  Do it again after you plug the device in, and then diff the two...

Quote from: Christian Powers on August 29, 2007, 01:00:52 PM
Second question: Does the windows indexing service that can be used to speed up searches for files within windows also index external media if it is plugged in log enough? If so, where is that index located and has anyone had any experience with it?

I haven't ever seen that question before...interesting.  I wonder, have you done any searches of the MS site for info regarding the Indexing service?

H

http://tech.groups.yahoo.com/group/win4n6/
Logged
"Windows Forensics and Incident Response"
"Windows Forensic Analysis"
"Perl Scripting for Windows Security"
Christian Powers
Newbie
*
Posts: 6


View Profile
« Reply #2 on: January 23, 2008, 09:28:31 AM »
Harlan,
    Thanks for the response. I haven't been able to locate much on the issue on MS Website. I have an idea I just haven't had time to test. I am going to put a large amount of text documents on a thumb drive. Snapshot the registry before plugging anything in, and get a DD image of the OS drive. Then I'll reboot plug in the thumb drive for a few hours and with the indexing service turned on and maybe even run a few searches that include all drive letters available. Then snapshot again and re-image. I'll compare the before and after of the registry as well as do hash analysis and see what files change. On the files that turn up I'll just run diff against them and see the result.

I'll post the result when I have it.

Thanks the ideas.

christian...
Logged
Pages: [1]
  Print  
« previous next »
 
Jump to: