tag:blogger.com,1999:blog-2536055622278192322.post7803208535037932053..comments2023-07-01T03:35:16.597-04:00Comments on Digital Forensics Stream: USB Device Tracking Batch ScriptJason Halehttp://www.blogger.com/profile/14747969951680452908noreply@blogger.comBlogger4125tag:blogger.com,1999:blog-2536055622278192322.post-69583025184702079242014-02-17T08:47:47.027-05:002014-02-17T08:47:47.027-05:00Hi, you should be able to use the device identifie...Hi, you should be able to use the device identifier/serial number to track a device across multiple machines, but I'm not sure what you mean by locating the home location. Also, keep in mind that the DriverFrameworks-UserMode/Operational event log has a limited time span, as older events will roll off once the event log reaches its maximum size, so this batch script will miss connections and disconnections prior to the oldest record in the event log (although you could also run this against previous versions in VSCs). Jason Halehttps://www.blogger.com/profile/14747969951680452908noreply@blogger.comtag:blogger.com,1999:blog-2536055622278192322.post-44919529593747183312014-02-17T04:27:56.367-05:002014-02-17T04:27:56.367-05:00I wonder to myself could this be used to track a u...I wonder to myself could this be used to track a usb device across multiple machines, if so locating the home location and flagging potential nefarious uses - ComedyloonAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-2536055622278192322.post-56362398915635339322014-02-12T10:15:06.891-05:002014-02-12T10:15:06.891-05:00Harlan,
Thanks. Log Parser was great for this be...Harlan,<br /><br />Thanks. Log Parser was great for this because of its flexibility and power with Log Parser functions (such as EXTRACT_TOKEN), using wildcards, and assigning dynamic column headers. Jason Halehttps://www.blogger.com/profile/14747969951680452908noreply@blogger.comtag:blogger.com,1999:blog-2536055622278192322.post-40709431894411095012014-02-12T06:33:24.311-05:002014-02-12T06:33:24.311-05:00Jason,
Very cool approach...this is exactly what ...Jason,<br /><br />Very cool approach...this is exactly what I do with LogParser to parse Windows Event Logs for inclusion in timelines; I use an event mapping file to prepend an artifact category identifier so that the timeline makes a little better sense.H. Carveyhttps://www.blogger.com/profile/08966595734678290320noreply@blogger.com