In my previously article "EnCase missed some USB activities in the evidence files", I mentioned about that EnCase could  only "see" few USB records. Actually not only EnCase may not see all USB records, some other forensic tools got the same problems.

What else could help us to find the missing USB Records? Take Windows 10 for example, we could take a look at the event log file named "Microsoft-Windows-Kernel-PnP%4Configuration.evtx" as below. You could know the brand, model and serial number and the timestamp etc.

Actually there is more than one USB device that suspect used as below. It's Seagate BUP_BK, but what's wrong with the serial number? All the digit is zero? That's not gonna happen,right?

Don't worry~ Just take a look at the following record and you will see its actual serial number.

How to find missing USB Records?的更多相关文章

  1. EnCase missed some usb activities in the evidence files

    My friend is a developer and her colleague May was suspected of stealing the source code of an impor ...

  2. Basic Concepts of Block Media Recovery

    Basic Concepts of Block Media Recovery Whenever block corruption has been automatically detected, yo ...

  3. Learning notes | Data Analysis: 1.1 data evaluation

    | Data Evaluation | - Use Shift + Enter or Shift + Return to run the upper box so as to make it disp ...

  4. Learning notes | Data Analysis: 1.2 data wrangling

    | Data Wrangling | # Sort all the data into one file files = ['BeijingPM20100101_20151231.csv','Chen ...

  5. Needle in a haystack: efficient storage of billions of photos 【转】

    转自09年的blog,因为facebook在国内无法访问,故此摘录. The Photos application is one of Facebook’s most popular features ...

  6. [译] iOS 11.4.1 Beta:全新的USB限制模式

    (Source/原文链接 https://blog.elcomsoft.com/2018/06/ios-11-4-1-beta-usb-restricted-mode-has-arrived/) 作者 ...

  7. linux设备驱动之USB主机控制器驱动分析 【转】

    转自:http://blog.chinaunix.net/uid-20543183-id-1930831.html   ---------------------------------------- ...

  8. usb驱动开发18之设备生命线

    现在已经使用GET_DESCRIPTOR请求取到了包含一个配置里所有相关描述符内容的一堆数据,这些数据是raw的,即原始的,所有数据不管是配置描述符.接口描述符还是端点描述符都挤在一起,所以得想办法将 ...

  9. usb驱动开发17之设备生命线

    拜会完了山头的几位大哥,还记得我们从哪里来要到哪里去吗?时刻不能忘记自身的使命啊.我们是从usb_submit_urb()最后的那个遗留问题usb_hcd_submit_urb()函数一路走来,现在就 ...

随机推荐

  1. vue2.0父子组件以及非父子组件如何通信

    1.父组件传递数据给子组件 父组件数据如何传递给子组件呢?可以通过props属性来实现 父组件: <parent> <child :child-msg="msg" ...

  2. 1.1 About Percona XtraDB Cluster

    摘要: 出处:kelvin19840813 的博客 http://www.cnblogs.com/kelvin19840813/ 您的支持是对博主最大的鼓励,感谢您的认真阅读.本文版权归作者所有,欢迎 ...

  3. CSS图片翻转动画技术详解

    因为不断有人问我,现在我补充一下:IE是支持这种技术的!尽管会很麻烦.需要做的是旋转front和back元素,而不是旋转整个容器元素.如果你使用的是最新版的IE,可以忽略这一节.IE10+是支持的,I ...

  4. Ajax同源和跨域

    ajax跨域访问 客户端页面 var url = "http://172.16.91.121:81/FellIn/FellIn.aspx?Action=WXSave&WX_Store ...

  5. Laravel 中实现是否关注

    @if ($user->id !== Auth::user()->id) <div id="follow_form"> @if (Auth::user()- ...

  6. Java数组的创建和初始化

    我们说到数组,可能有的人就会比较害怕了,其实,数组只是把对象序列(很多个对象)或者基本类型序列(很多个基本类型)放在一起而已.数组是通过方括号下标操作符[]来定义和使用的.如果要定义,创建一个数组,只 ...

  7. vue2.0 配置build项目打包目录、资源文件(assets\static)打包目录

    vue项目默认的打包路径:根目录下的dist文件夹下: 但是在项目开发中,我们肯定希望项目提交到svn目录或者git目录下,否则每次复制过去,太麻烦了: 那怎么配置打包路径呢?下面来看看: 我们找到打 ...

  8. 移动端页面 css reset

    这个是通用的  css reset.这个版本适用于 移动端页面 如果需要在 PC端使用,可以 修改 html{font-size: 10px;}为html{font-size: 12px;} 其他地方 ...

  9. Spark算子篇 --Spark算子之combineByKey详解

    一.概念 rdd.combineByKey(lambda x:"%d_" %x, lambda a,b:"%s@%s" %(a,b), lambda a,b:& ...

  10. 我的Python学习笔记(三):私有变量

    一.私有变量的定义 在Python中,有以下几种方式来定义变量: xx:公有变量 _xx:单前置下划线,私有化属性或方法,类对象和子类可以访问,from somemodule import *禁止导入 ...