Detecting Thumb Drives
> When doing forensics on a Linux Operating System, is there a way toever! no, but sometimes you can see it in the logs...
> determine if/when a thumb drive had ever been inserted?
also in /swap sometimes if your lucky
as for when, usually that gets lost fairly quickly
- Looking at the log files you might be able to
determine there was a USB device inserted, or that an
'sd' device was mounted. Realistically, if you're
asking for your boss, who wants to know whether or not
to purse an investigation, you should really have your
boss determine whether or not it's financially
worthwhile to pay someone to do the investigation. It
would seem that neither you nor he will be able to
really follow the advice you'd get here anyway.
That being said, the short answer is _maybe_.
Depending on the verbosity and lifetime of the
logging, as well as whether or not the user has
altered the logs.
Regarding your FTP question, there probably won't be a
smoking gun, but without comprehensive network logging
you could reasonably conclude that an FTP session was
established, and if you're REALLY lucky the FTP
program will keep a file transfer history (assuming
the user didn't alter that file).
Just a starting point.
--- mrafterv <mrafterv@...> wrote:
> When doing forensics on a Linux Operating System, is____________________________________________________________________________________
> there a way to
> determine if/when a thumb drive had ever been
Luggage? GPS? Comic books?
Check out fitting gifts for grads at Yahoo! Search