Loading ...
Sorry, an error occurred while loading the content.

Detecting Thumb Drives

Expand Messages
  • mrafterv
    When doing forensics on a Linux Operating System, is there a way to determine if/when a thumb drive had ever been inserted?
    Message 1 of 3 , Jul 12 11:38 AM
    • 0 Attachment
      When doing forensics on a Linux Operating System, is there a way to
      determine if/when a thumb drive had ever been inserted?
    • Richard Reynolds
      ... ever! no, but sometimes you can see it in the logs... also in /swap sometimes if your lucky as for when, usually that gets lost fairly quickly Richard
      Message 2 of 3 , Jul 12 9:59 PM
      • 0 Attachment
        > When doing forensics on a Linux Operating System, is there a way to
        > determine if/when a thumb drive had ever been inserted?

        ever! no, but sometimes you can see it in the logs...

        also in /swap sometimes if your lucky

        as for when, usually that gets lost fairly quickly


        Richard Reynolds
        richard.reynolds@...
      • swinginscott
        Looking at the log files you might be able to determine there was a USB device inserted, or that an sd device was mounted. Realistically, if you re asking
        Message 3 of 3 , Jul 13 4:26 AM
        • 0 Attachment
          Looking at the log files you might be able to
          determine there was a USB device inserted, or that an
          'sd' device was mounted. Realistically, if you're
          asking for your boss, who wants to know whether or not
          to purse an investigation, you should really have your
          boss determine whether or not it's financially
          worthwhile to pay someone to do the investigation. It
          would seem that neither you nor he will be able to
          really follow the advice you'd get here anyway.

          That being said, the short answer is _maybe_.
          Depending on the verbosity and lifetime of the
          logging, as well as whether or not the user has
          altered the logs.

          Regarding your FTP question, there probably won't be a
          smoking gun, but without comprehensive network logging
          you could reasonably conclude that an FTP session was
          established, and if you're REALLY lucky the FTP
          program will keep a file transfer history (assuming
          the user didn't alter that file).

          Just a starting point.

          ~
          --- mrafterv <mrafterv@...> wrote:

          > When doing forensics on a Linux Operating System, is
          > there a way to
          > determine if/when a thumb drive had ever been
          > inserted?
          >
          >



          ____________________________________________________________________________________
          Luggage? GPS? Comic books?
          Check out fitting gifts for grads at Yahoo! Search
          http://search.yahoo.com/search?fr=oni_on_mail&p=graduation+gifts&cs=bz
        Your message has been successfully submitted and would be delivered to recipients shortly.