Tag Archives: registry

Investigating USB Drives using Mount Points Not Drive Letters

Posted on 4 April 2020 by [email protected]

Yes, another excellent question came up by one of my students: If a user mounts the volume to a mount point, what artifacts could we find for the USB? Starting I think from Windows 8.1 or 10, a user could … Continue reading →

Posted in DFIR, Forensics, Investigations, Windows | Tagged DFIR, Forensics, Investigations, registry, Registry Explorer, RegRipper, USB, Windows, Windows and tagged Computer Forensics | Comments Off

No Drive Letter, No USB Evidence? Think Again!

Posted on 3 April 2020 by [email protected]

This post is about a question asked: If the user removes the drive letter to hide the presence of a mounted USB drive, could we still locate that drive in the Windows Registry? Short answer is, YES it will still … Continue reading →

Posted in DFIR, Forensics, Investigations, Windows | Tagged Computer Forensics, DFIR, registry, Registry Explorer, RegRipper, USB, Windows | Comments Off

Windows InstallTime vs InstallDate Registry Values

Posted on 31 May 2019 by [email protected]

This is just a quick post about two Registry Values InstallTime and InstallDate which are found under the following key: SOFTWARE\Microsoft\Windows NT\CurrentVersion The confusion happens when my students ask which one is correct?

Posted in Forensics, Windows | Tagged DCode, InstallDate, InstallTime, registry, Registry Explorer, timestamps, Windows | Comments Off

Tag Archives: registry

Investigating USB Drives using Mount Points Not Drive Letters

No Drive Letter, No USB Evidence? Think Again!

Windows InstallTime vs InstallDate Registry Values

Recent Posts

Categories

Archives