In my previously article "EnCase missed some USB activities in the evidence files", I mentioned about that EnCase could  only "see" few USB records. Actually not only EnCase may not see all USB records, some other forensic tools got the same problems.

What else could help us to find the missing USB Records? Take Windows 10 for example, we could take a look at the event log file named "Microsoft-Windows-Kernel-PnP%4Configuration.evtx" as below. You could know the brand, model and serial number and the timestamp etc.

Actually there is more than one USB device that suspect used as below. It's Seagate BUP_BK, but what's wrong with the serial number? All the digit is zero? That's not gonna happen,right?

Don't worry~ Just take a look at the following record and you will see its actual serial number.

How to find missing USB Records?的更多相关文章

  1. EnCase missed some usb activities in the evidence files

    My friend is a developer and her colleague May was suspected of stealing the source code of an impor ...

  2. Basic Concepts of Block Media Recovery

    Basic Concepts of Block Media Recovery Whenever block corruption has been automatically detected, yo ...

  3. Learning notes | Data Analysis: 1.1 data evaluation

    | Data Evaluation | - Use Shift + Enter or Shift + Return to run the upper box so as to make it disp ...

  4. Learning notes | Data Analysis: 1.2 data wrangling

    | Data Wrangling | # Sort all the data into one file files = ['BeijingPM20100101_20151231.csv','Chen ...

  5. Needle in a haystack: efficient storage of billions of photos 【转】

    转自09年的blog,因为facebook在国内无法访问,故此摘录. The Photos application is one of Facebook’s most popular features ...

  6. [译] iOS 11.4.1 Beta:全新的USB限制模式

    (Source/原文链接 https://blog.elcomsoft.com/2018/06/ios-11-4-1-beta-usb-restricted-mode-has-arrived/) 作者 ...

  7. linux设备驱动之USB主机控制器驱动分析 【转】

    转自:http://blog.chinaunix.net/uid-20543183-id-1930831.html   ---------------------------------------- ...

  8. usb驱动开发18之设备生命线

    现在已经使用GET_DESCRIPTOR请求取到了包含一个配置里所有相关描述符内容的一堆数据,这些数据是raw的,即原始的,所有数据不管是配置描述符.接口描述符还是端点描述符都挤在一起,所以得想办法将 ...

  9. usb驱动开发17之设备生命线

    拜会完了山头的几位大哥,还记得我们从哪里来要到哪里去吗?时刻不能忘记自身的使命啊.我们是从usb_submit_urb()最后的那个遗留问题usb_hcd_submit_urb()函数一路走来,现在就 ...

随机推荐

  1. windows 命令行打开浏览器

    在命令行打开百度 start chrome www.baidu.com

  2. Mac_OS_Sierra_10.12.6编译OpenJDK9

    编译环境以及依赖 macOS:Sierra,10.12.6 处理器:2.6 GHz Intel Core i7 内存:16 GB 2133 MHz LPDDR3 Command Line Tools ...

  3. 原来你是这样的JAVA[02]-包、传参、构造器

    一.包(package) 在java程序中,一个java源文件称为编译单元,以.java后缀命名.编译单元内可以有一个public类,类名必须与文件名相同.注意:每个编译单元只能有一个public类. ...

  4. springBoot系列教程06:参数验证及验证信息国际化

    在springboot应用中要验证参数是否正确很简单,web应用已经包含了validation的 1.定义需要被验证的参数实体,并用注解标明错误类别和错误信息 package com.xiao.dom ...

  5. SQL重复记录查询的几种方法

    http://www.jb51.net/article/34820.htm \ 1.查找表中多余的重复记录,重复记录是根据单个字段(peopleId)来判断 复制代码 代码如下: select * f ...

  6. glimmer 3.02安装小记

    wget http://www.cbcb.umd.edu/software/glimmer/glimmer302.tar.gz tar xzfglimmer302.tar.gz cd glimmer3 ...

  7. Linux文件的复制、删除和移动命令

    cp命令  功能:将给出的文件或目录拷贝到另一文件或目录中,就如同DOS下的copy命令一样,功能非常强大.  语法:cp [选项] 源文件或目录 目标文件或目录  说明:该命令把指定的源文件复制到目 ...

  8. UWP 手绘视频创作工具技术分享系列 - Ink & Surface Dial

    本篇作为技术分享系列的第四篇,详细讲一下手绘视频中 Surface Pen 和 Surface Dial 的使用场景. 先放一张微软官方商城的图,Surface 的使用中结合了 Surface Pen ...

  9. textarea显示源代码

    textarea显示源代码 近期做的项目中,有需要显示源码的效果 最开始使用了很多冗余的办法,使用<pre></pre>和<code></code>标签 ...

  10. Hadoop源码篇---解读Mapprer源码Input输入

    一.前述 上次分析了客户端源码,这次分析mapper源码让大家对hadoop框架有更清晰的认识 二.代码 自定义代码如下: public class MyMapper extends Mapper&l ...