Tag Archives: registry

Investigating USB Drives using Mount Points Not Drive Letters

Yes, another excellent question came up by one of my students: If a user mounts the volume to a mount point, what artifacts could we find for the USB? Starting I think from Windows 8.1 or 10, a user could … Continue reading

Posted in DFIR, Forensics, Investigations, Windows | Tagged , , , , , , , , | Leave a comment

No Drive Letter, No USB Evidence? Think Again!

This post is about a question asked: If the user removes the drive letter to hide the presence of a mounted USB drive, could we still locate that drive in the Windows Registry? Short answer is, YES it will still … Continue reading

Posted in DFIR, Forensics, Investigations, Windows | Tagged , , , , , , | Leave a comment

Windows InstallTime vs InstallDate Registry Values

This is just a quick post about two Registry Values InstallTime and InstallDate which are found under the following key: SOFTWARE\Microsoft\Windows NT\CurrentVersion The confusion happens when my students ask which one is correct?

Posted in Forensics, Windows | Tagged , , , , , , | Comments Off on Windows InstallTime vs InstallDate Registry Values