Type : Tutorial
Level : Medium
O.S : Windows 7 SP1
One day here in China I see a movie, that movie was about an advertising company. Still in that movie, there’s competition between one ads company with another advertising company lets say company A and company B. The thing is this competition was not fair because B company pay money(bribe) to a guy that work in company A (let say his name is VALENT). VALENT know that the idea was inside manager computer (let say this guy name is VISHNU), so he skulk to his manager room and copy the main idea using his USB stick. The next week company B launching the company A idea and company A was nearly bankrupt because of this incident.
Okay enough for the movie thing 😛 , the first question when this accident happen is "is it possible to view USB history?" (usually this is the work of computer forensics guy).
The quick answer is yes and no 🙂 ….why? because it is still 60% chance.
okay lets move to the next stage
1. Command Prompt
2. WIndows PowerShell – there’s such GUI tools outside there you can download, but in this tutorial I will use default Windows PowerShell.
1. Windows stores information in the registry about every USB device plugged into the box. We can view this information with the following command (see picture below) :
2. The /s indicates that I want the command to recurse the Registry, showing all settings under this area. In my output, I first see an indication of the vendor and product information, which is prefaced with "Disk&Ven".
3. Enough for our first checking to know there’s some USB record. The next step we need to open up our Windows PowerShell. Just type powershell in your command prompt, but if you need a little fancy one with blue background, you can search in your start menu for PowerShell.
In command prompt you cannot make a code completion using <TAB> when you access the registry thing, but by using Windows PowerShell you can do the code completion (view tutorial) there(it makes our life easy 🙂 )…
4. How if we see which kind of USB have been connected with the computer? we can run this command to view it :
Get-ChildItem HKLM:\SYSTEM\ControlSet001\Enum\USBSTOR | Select-Object PSChildname
5. How if we make it more readable 🙂 ?
Get-ItemProperty -Path ’HKLM:\SYSTEM\CurrentControlSet\Enum\USBSTOR\*\*’ | Select FriendlyName
6. For easy way to view this USB history, you can download the small program from NirSoft called USBDeview (Click Here).
So…maybe now you can catch the traitor inside your company, or you think twice for the act you will do 😛
hope you found it useful 🙂