Many people have asked me the conditions when the
LastRemovalDate property gets populated and why its missing in some cases. I
had run some test cases to determine the conditions and behavior of windows 8
with device insertions and removals earlier and am now documenting the results
here. For those unaware of these timestamps, please read the post here first.
Also because LastRemovalDate is deleted upon subsequent device arrivals, you should never ever see LastRemovalDate that is prior to a LastArrivalDate. If you do, then that probably means the clock on the machine has been altered between insertion and removal of the device!
The table below summarizes activity and behavior of these timestamps.
The dash ( - ) indicates no changes occured, values remain what they were earlier.
Device activity behavior
Whenever a device is plugged into a windows 8 machine, the
LastArrivalDate timestamp gets set (to current date & time). At the same
time, the LastRemovalDate gets deleted (if it was set earlier). Now whenever
the device is removed from the system (when system is running!) that is the
only time the LastRemovalDate will get set (to current date & time).
Windows can detect both a clean eject as well as an unclean direct disconnect
of the device, and in both cases the LastRemovalDate timestamp gets set.
If a device is attached to a system and then the system is
shutdown subsequently with device still attached, then the LastRemovalDate will
NOT get updated! So if you are seeing a missing value for LastRemovalDate, this
is likely what happened, ie, the device was still plugged into the system when
it was shut down. So the windows last shutdown timestamp for that session could
be taken as the LastRemovalDate by an analyst.
Now on subsequent reboot(s), this device timestamp
(LastRemovalDate) will not get updated and it will remain missing, until the
device is seen by windows again and windows witnesses a removal of that device
(as noted above).
However, also note that even if the device is NOT removed
and re-plugged in, windows will still treat it that way when you reboot the
system. So, reboots with a USB disk plugged in will update the LastArrivalDate
as if it had been inserted immediately on boot. This means that if you have a USB disk always
connected to the system and never removed, windows will still update the
LastArrivalDate each time on a reboot.
How this impacts an analysis?
The forensic analyst must be careful
about interpretation here, the LastArrivalDate may not be the last time the
device was physically connected by a user, it may have been there (connected)
for a long time prior! One way to check is compare this with the system boot time. If they are quite close (within a few seconds or a minute), then its probably connected prior to boot, else it was indeed the last time device was physically connected.
Activity / Action
|
LastArrivalDate
|
LastRemovalDate
|
Device Plugged in
|
SET
|
DELETED
|
Device Removed
(Both Clean Eject &
Direct Removal)
|
-
|
SET
|
Machine Shutdown with device still plugged in
|
-
|
-
|
Machine Restarted with device still plugged in (device not
removed and re-attached)
|
SET
|
DELETED
|
No comments:
Post a Comment