USB Device History EnScript - Updates
James recently emailed me to tell me that he had taken the USB Device History EnScript and modified it to display additional/different information. So in the spirit of sharing and with the author's consent, here it is:
From James Habben -
The output is now modified to go into the Records Tab of EnCase so you can sort it and it is part of the case bookmarks
Download Here
From Edge -
- Semicolon separation of all information pulled from the registry so
it can be pulled into IDEA, Access or Excel.
- Dump of ENUM\USB including VID, PID, Serial_Num, Device_Description,
Location_Information, Manufacture and ParentIDPrefix.
- Updated ENUM\USBSTOR to also output the date the registry key for
that device was created (i.e. the date the USB device was first plugged
in).
- Added James Habben Records Tab feature.
- Fixed issue with Mounted Devices not producing the serial number for
some fixed drives i.e. C Drive.
- Made Mounted Devices more conducive to Excel/Access/IDEA.
- Fixed my stuff up with Manufacturer and Location_Information
ordering.
- Changed console output format slightly to reflect James's layout.
- Special Thanks to James for fixing an interesting issue I was having
with mountVolume method and for making his source code available.
Download Here
ShareThis
Posts
4 comments:
The script doesn't work with new version 6.11, any updates you can post please?
Lance,
FYI, USB Device History EnScript.
This script supplies some very useful info. I noticed that the
volumeByteOffsetStart was incorrect
in the GetMounted Devices procedure. When verified against encase / winhex - the volume offset was wrong as the last byte is not being read in - "offset = tempfile.ReadBinaryInt(8)
This is because the uint cant cope so I changed it to a long and it works fine and was verified.
Lance, two questions, 1. is there an updated version of the script that puts the output into the records tab that works in 6.12 and 2. is it possible to modify the script so it creates a csv automatically with the results. This is a great script by the ways. Thanks for sharing.
I know theposts are three years old now, but. where can I go to get a an recent EnScript that will detail USB Flash drive activity for down load logs on an Lenovo laptop.
I need almost the same thing on a the Dell Inspiron E1505 laptop. But, for it I need the email passwords. I have a Passware, latest version, but not have had to actually use it in relity yet
Both belonged to ex employees and have them tied up p like a bass on a top water bait with 40 Pound test line.
I am the owner's rep, and, I do own a a shot gun!
Thank you all!
Mike
Post a Comment