Tjyylli

Took a trip to a parallel universe, need help deciphering

Why is Collection not simply treated as Collection<?>

Is the Joker left-handed?

How much of data wrangling is a data scientist's job?

In a Spin are Both Wings Stalled?

How can I prevent hyper evolved versions of regular creatures from wiping out their cousins?

What killed these X2 caps?

Why "Having chlorophyll without photosynthesis is actually very dangerous" and "like living with a bomb"?

Does a druid starting with a bow start with no arrows?

How do conventional missiles fly?

How to model explosives?

Would Slavery Reparations be considered Bills of Attainder and hence Illegal?

Where does SFDX store details about scratch orgs?

If human space travel is limited by the G force vulnerability, is there a way to counter G forces?

How is it possible to have an ability score that is less than 3?

Is it inappropriate for a student to attend their mentor's dissertation defense?

Is it canonical bit space?

Should I tell management that I intend to leave due to bad software development practices?

What is the word for reserving something for yourself before others do?

Blender 2.8 I can't see vertices, edges or faces in edit mode

Will google still index a page if I use a $_SESSION variable?

How do I write bicross product symbols in latex?

Today is the Center

What's the point of deactivating Num Lock on login screens?

How do I check if a user connected an external hard drive?

How long should I keep my external hard drive connected to my computerPartitioning External Hard DriveExternal hard drive encryptionHow to encrypt external usb hard drive?Make external drive connected to TimeCapsule appears as one drive with internal hard driveCannot copy anything onto WD Elements 1TB External USB HDDBroken external hard driveblinking external hard driveFile permissions not preserved on external hard driveInaccessible external hard drive

.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty{ height:90px;width:728px;box-sizing:border-box;
}

6

2

I originally came across this from a Citadel LLC complaint against a former employee. Text of complaint: http://www.scribd.com/doc/63606232/Citadel-vs-Yihao-Ben-Pu

From the filing:

"Forensic evidence has confirmed, however, that Pu also utilized a 500 gigabyte external hard drive (a Western Digital Elements 1023)"

How does one actually find out if a user connected an external hard drive?

security external-hard-drive logging monitoring

share|improve this question

edited Apr 15 '16 at 14:38

Raystafarian

19.5k105089

asked Sep 2 '11 at 1:24

Foo BahFoo Bah

1911110

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  what os? it would depend.
  
  – Journeyman Geek♦
  Sep 2 '11 at 1:32
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  @Journeyman Geek yes, its for windows :)
  
  – Foo Bah
  Sep 2 '11 at 2:23
  

  
  
  
  

add a comment | 

6

2

I originally came across this from a Citadel LLC complaint against a former employee. Text of complaint: http://www.scribd.com/doc/63606232/Citadel-vs-Yihao-Ben-Pu

From the filing:

"Forensic evidence has confirmed, however, that Pu also utilized a 500 gigabyte external hard drive (a Western Digital Elements 1023)"

How does one actually find out if a user connected an external hard drive?

security external-hard-drive logging monitoring

share|improve this question

edited Apr 15 '16 at 14:38

Raystafarian

19.5k105089

asked Sep 2 '11 at 1:24

Foo BahFoo Bah

1911110

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  what os? it would depend.
  
  – Journeyman Geek♦
  Sep 2 '11 at 1:32
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  @Journeyman Geek yes, its for windows :)
  
  – Foo Bah
  Sep 2 '11 at 2:23
  

  
  
  
  

add a comment | 

I originally came across this from a Citadel LLC complaint against a former employee. Text of complaint: http://www.scribd.com/doc/63606232/Citadel-vs-Yihao-Ben-Pu

From the filing:

"Forensic evidence has confirmed, however, that Pu also utilized a 500 gigabyte external hard drive (a Western Digital Elements 1023)"

How does one actually find out if a user connected an external hard drive?

security external-hard-drive logging monitoring

share|improve this question

edited Apr 15 '16 at 14:38

Raystafarian

19.5k105089

asked Sep 2 '11 at 1:24

Foo BahFoo Bah

1911110

share|improve this question

edited Apr 15 '16 at 14:38

Raystafarian

19.5k105089

asked Sep 2 '11 at 1:24

Foo BahFoo Bah

1911110

share|improve this question

edited Apr 15 '16 at 14:38

Raystafarian

19.5k105089

asked Sep 2 '11 at 1:24

Foo BahFoo Bah

1911110

edited Apr 15 '16 at 14:38

Raystafarian

19.5k105089

edited Apr 15 '16 at 14:38

Raystafarian

19.5k105089

asked Sep 2 '11 at 1:24

Foo BahFoo Bah

1911110

asked Sep 2 '11 at 1:24

Foo BahFoo Bah

1911110

2 Answers
2

active

oldest

votes

5

On windows, its stored in the registry - usually HKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumUSBSTOR

I'd also look at setupapi.log on %windir% for driver installs on systems older than windows 7 (its supposed to be %windir%INFsetupapi.dev.log and %windir%INFsetupapi.app.log , but the forensics classes i went to totally totally ignored this location, so i'm not totally familiar with this) - if a driver is there, and its device is not in the registry, you know that something is off.

I'd refer you to this article on antiforensics which i used to refresh my memory on where exactly it is.

share|improve this answer

edited 10 hours ago

MX D

1033

answered Sep 2 '11 at 1:33

Journeyman Geek♦Journeyman Geek

113k44218371

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  is there a way to insert a usb device while bypassing this mechanism?
  
  – Foo Bah
  Sep 2 '11 at 2:23
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  @Foo Bah, not really. Windows needs to mount and load drivers to use the device. When it does this, it records information about the device so that it can load the device faster the next time. Remember, Windows is not an OS specifically designed for anonymous usage; it is meant for legitimate users who expect to reuse their devices on their systems.
  
  – Synetech
  Sep 2 '11 at 3:09
  

  
  
  
  

add a comment | 

3

If a USB device is connected and is mounted in Windows it is recorded in the Windows registry.

You can use USBDeview to see any USB device ever connected to any PC you run it on. It pulls the information from the Windows Registry.

USBDeview is a small utility that lists all USB devices that currently connected to your computer, as well as all USB devices that you previously used.For each USB device, extended information is displayed: Device name/description, device type, serial number (for mass storage devices), the date/time that device was added, VendorID, ProductID, and more.

USBDeview also allows you to uninstall USB devices that you previously used, disconnect USB devices that are currently connected to your computer, as well as to disable and enable USB devices.
You can also use USBDeview on a remote computer, as long as you login to that computer with admin user.

Only way around this is to manually remove all entries from the registry that refer to that specific device, along with other Windows locations mentioned by Journeyman Geek. USBDeview uninstall feature may not remove all traces of the device in the registry.

share|improve this answer

answered Sep 2 '11 at 2:45

MoabMoab

51.5k1494161

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  that is a very nifty tool!
  
  – Foo Bah
  Sep 2 '11 at 3:19
  

  
  
  
  

add a comment | 

Your Answer

StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "3"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});

function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});


}
});

draft saved

draft discarded

Sign up or log in

StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name

Email

Required, but never shown

StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f330971%2fhow-do-i-check-if-a-user-connected-an-external-hard-drive%23new-answer', 'question_page');
}
);

Post as a guest

Name

Email

Required, but never shown

5

On windows, its stored in the registry - usually HKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumUSBSTOR

I'd also look at setupapi.log on %windir% for driver installs on systems older than windows 7 (its supposed to be %windir%INFsetupapi.dev.log and %windir%INFsetupapi.app.log , but the forensics classes i went to totally totally ignored this location, so i'm not totally familiar with this) - if a driver is there, and its device is not in the registry, you know that something is off.

I'd refer you to this article on antiforensics which i used to refresh my memory on where exactly it is.

share|improve this answer

edited 10 hours ago

MX D

1033

answered Sep 2 '11 at 1:33

Journeyman Geek♦Journeyman Geek

113k44218371

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  is there a way to insert a usb device while bypassing this mechanism?
  
  – Foo Bah
  Sep 2 '11 at 2:23
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  @Foo Bah, not really. Windows needs to mount and load drivers to use the device. When it does this, it records information about the device so that it can load the device faster the next time. Remember, Windows is not an OS specifically designed for anonymous usage; it is meant for legitimate users who expect to reuse their devices on their systems.
  
  – Synetech
  Sep 2 '11 at 3:09
  

  
  
  
  

add a comment | 

5

On windows, its stored in the registry - usually HKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumUSBSTOR

I'd also look at setupapi.log on %windir% for driver installs on systems older than windows 7 (its supposed to be %windir%INFsetupapi.dev.log and %windir%INFsetupapi.app.log , but the forensics classes i went to totally totally ignored this location, so i'm not totally familiar with this) - if a driver is there, and its device is not in the registry, you know that something is off.

I'd refer you to this article on antiforensics which i used to refresh my memory on where exactly it is.

share|improve this answer

edited 10 hours ago

MX D

1033

answered Sep 2 '11 at 1:33

Journeyman Geek♦Journeyman Geek

113k44218371

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  is there a way to insert a usb device while bypassing this mechanism?
  
  – Foo Bah
  Sep 2 '11 at 2:23
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  @Foo Bah, not really. Windows needs to mount and load drivers to use the device. When it does this, it records information about the device so that it can load the device faster the next time. Remember, Windows is not an OS specifically designed for anonymous usage; it is meant for legitimate users who expect to reuse their devices on their systems.
  
  – Synetech
  Sep 2 '11 at 3:09
  

  
  
  
  

add a comment | 

On windows, its stored in the registry - usually HKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumUSBSTOR

I'd also look at setupapi.log on %windir% for driver installs on systems older than windows 7 (its supposed to be %windir%INFsetupapi.dev.log and %windir%INFsetupapi.app.log , but the forensics classes i went to totally totally ignored this location, so i'm not totally familiar with this) - if a driver is there, and its device is not in the registry, you know that something is off.

I'd refer you to this article on antiforensics which i used to refresh my memory on where exactly it is.

share|improve this answer

edited 10 hours ago

MX D

1033

answered Sep 2 '11 at 1:33

Journeyman Geek♦Journeyman Geek

113k44218371

share|improve this answer

edited 10 hours ago

MX D

1033

answered Sep 2 '11 at 1:33

Journeyman Geek♦Journeyman Geek

113k44218371

edited 10 hours ago

MX D

1033

edited 10 hours ago

MX D

1033

answered Sep 2 '11 at 1:33

Journeyman Geek♦Journeyman Geek

113k44218371

answered Sep 2 '11 at 1:33

Journeyman Geek♦Journeyman Geek

113k44218371

3

If a USB device is connected and is mounted in Windows it is recorded in the Windows registry.

You can use USBDeview to see any USB device ever connected to any PC you run it on. It pulls the information from the Windows Registry.

USBDeview is a small utility that lists all USB devices that currently connected to your computer, as well as all USB devices that you previously used.For each USB device, extended information is displayed: Device name/description, device type, serial number (for mass storage devices), the date/time that device was added, VendorID, ProductID, and more.

USBDeview also allows you to uninstall USB devices that you previously used, disconnect USB devices that are currently connected to your computer, as well as to disable and enable USB devices.
You can also use USBDeview on a remote computer, as long as you login to that computer with admin user.

Only way around this is to manually remove all entries from the registry that refer to that specific device, along with other Windows locations mentioned by Journeyman Geek. USBDeview uninstall feature may not remove all traces of the device in the registry.

share|improve this answer

answered Sep 2 '11 at 2:45

MoabMoab

51.5k1494161

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  that is a very nifty tool!
  
  – Foo Bah
  Sep 2 '11 at 3:19
  

  
  
  
  

add a comment | 

3

If a USB device is connected and is mounted in Windows it is recorded in the Windows registry.

You can use USBDeview to see any USB device ever connected to any PC you run it on. It pulls the information from the Windows Registry.

USBDeview is a small utility that lists all USB devices that currently connected to your computer, as well as all USB devices that you previously used.For each USB device, extended information is displayed: Device name/description, device type, serial number (for mass storage devices), the date/time that device was added, VendorID, ProductID, and more.

USBDeview also allows you to uninstall USB devices that you previously used, disconnect USB devices that are currently connected to your computer, as well as to disable and enable USB devices.
You can also use USBDeview on a remote computer, as long as you login to that computer with admin user.

Only way around this is to manually remove all entries from the registry that refer to that specific device, along with other Windows locations mentioned by Journeyman Geek. USBDeview uninstall feature may not remove all traces of the device in the registry.

share|improve this answer

answered Sep 2 '11 at 2:45

MoabMoab

51.5k1494161

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  that is a very nifty tool!
  
  – Foo Bah
  Sep 2 '11 at 3:19
  

  
  
  
  

add a comment | 

If a USB device is connected and is mounted in Windows it is recorded in the Windows registry.

You can use USBDeview to see any USB device ever connected to any PC you run it on. It pulls the information from the Windows Registry.

USBDeview is a small utility that lists all USB devices that currently connected to your computer, as well as all USB devices that you previously used.For each USB device, extended information is displayed: Device name/description, device type, serial number (for mass storage devices), the date/time that device was added, VendorID, ProductID, and more.

USBDeview also allows you to uninstall USB devices that you previously used, disconnect USB devices that are currently connected to your computer, as well as to disable and enable USB devices.
You can also use USBDeview on a remote computer, as long as you login to that computer with admin user.

Only way around this is to manually remove all entries from the registry that refer to that specific device, along with other Windows locations mentioned by Journeyman Geek. USBDeview uninstall feature may not remove all traces of the device in the registry.

share|improve this answer

answered Sep 2 '11 at 2:45

MoabMoab

51.5k1494161

share|improve this answer

answered Sep 2 '11 at 2:45

MoabMoab

51.5k1494161

answered Sep 2 '11 at 2:45

MoabMoab

51.5k1494161

answered Sep 2 '11 at 2:45

MoabMoab

51.5k1494161