Thursday, October 29, 2009

EnScript to obtain connected USB devices from System Restore Points (XP)

A reader requested that I modify my original USB information EnScript to work with the snapshot copies of the SYSTEM registry hives that are saved in the System Volume Information folder by the System Restore service in windows XP.

I have modified the original EnScript to only parse the registry hives found in the system Volume Information folder. This is a seperate EnScript and does not parse the active registry hives, only the ones in the System Volume Information Folder.

Download Here

Posted by Lance Mueller at Thursday, October 29, 2009
ShareThis

Labels:

3 comments:

iPhone Sunday, 01 November, 2009  

Mr. Mueller, I am using EnCase version 6.14.3.4 and I was trying to use your provided EnScript - I'm trying to match up an external drive with my suspect computer. Here are the results when using the enscript. Any assistance would be appricated. Regards, Sgt. Robert Salter forensic@cityofrichfield.org or rsalter@cityofrichfield.org.

Error: Reference to null EntryClass object, Specialized Scripts\USB Device History - System Volume Information(53,0)
Name: USB Device History - System Volume Information
Status: Error
Start: 11/01/09 11:18:44AM
Stop: 11/01/09 11:18:45AM
Time: 0:00:01

ds Sunday, 13 December, 2009  

Hi Lance,

This is David Shin, I worked with you at Guidance. I am trying to run your USB Device History - System Volume Information enpack but I get the following error message in the output tab:

"35880BB8E71ACA4D956E6E303B44FA0B" does not exist, USB Device History - System Volume Information (10,42)

Any feed back would be appreciated. Hope all is well with you.

thank you.

David

Lance Mueller Monday, 14 December, 2009  

HI David,

Some of the reg hives that are collected in the System Volume information are partial hives, meaning they dont have all the keys and values of a regular hive. So it appears that you are running across a hive that does not have some of the keys that are needed to determine or get the USB information.

Here is an updated version to only process selected hives in the System Restore Point. If you have any additional trouble, just email me: lance(at)forensickb.com

http://www.lancemueller.com/blog/USB%20Device%20History%20-%20System%20Volume%20Information%20-%20Selected%20Only.EnPack

Post a Comment

Post a Comment

Subscribe to: Post Comments (Atom)

Computer Forensics, Malware Analysis & Digital Investigations

Loading...

Random Articles