Is there a way to find the last-added USB device in Windows (perhaps something like 'dmesg' for Windows)?
I'm plugging the USB device in, and it makes the sound of connection, but when I check Device Manager -- it's not there (where I think it should be), nor is there any notification of malfunctioning devices.
I've tried looking through similar and neighboring categories in Device Manager, but I can't find the thing.
ColdblackiceColdblackice2,5701212 gold badges4141 silver badges6767 bronze badges
2 Answers
Try this.
In order to determine the last time the device was connected to the system, we have to navigate to the following Registry key:
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlDeviceClasses
.DeviceClasses Contains information about the device interfaces on the system. There is a subkey for each device interface class and entries under those subkeys for each instance of an interface that is registered for the device interface class.
Read more info.
Or use USBDeview.
USBDeview is a small utility that lists all USB devices that currently connected to your computer, as well as all USB devices that you previously used.
stderrstderr9,05722 gold badges2121 silver badges4444 bronze badges
I should have googled a second longer before posting :)
There's a free application called 'USBDeview' that does just this, with the ability to sort on last plug/unplug date.
And if this one didn't work, I was about to next try another free utility called 'USBLogView', which shows USB information for any device that is plugged/unplugged from the system while the utility is open. Far cry 4 pirate bay.
I found the device just fine, labeled with a nicely generic 'USB Input Device', rather than the actual product and model name (which appears just fine in USBDeview).
ColdblackiceColdblackiceHow To Check When Usb Was Last Accessed Tv
2,5701212 gold badges4141 silver badges6767 bronze badges
Not the answer you're looking for? Browse other questions tagged windows-7usbtroubleshootingdevice-manager or ask your own question.
I have a USB flash drive and I believed someone else may have plugged it in their computer and copied some files.
Using my Mac, how do I know when was the last time my usb flash drive was plugged in?
200_success43811 gold badge44 silver badges1515 bronze badges
gungun
5 Answers
The best evidence you could get is to inspect the last access time of the files in question, or perhaps the last access time of the top-level directory on the file system.
But first, a bit of background. A USB flash drive would be treated by the computer much like a disk. The drive (or, more precisely, the main partition within the drive) would be formatted as a filesystem. Most flash media come formatted out of the box with a VFAT filesystem, which is a lowest-common-denominator solution that works with nearly all devices, including OS X, Windows, Linux, and digital cameras. The next most likely alternatives to VFAT would be HFS+ (the native file system of OS X, which Windows doesn't support at all) or NTFS (the native file system of Windows, supported by any version of Windows released this century, but which has just read-only support in OS X, and is rarely supported on digital cameras).
That background is relevant because different filesystems store the last access time differently. I'm going to work with the assumption that your USB stick is formatted with VFAT. This is important because VFAT filesystems only store the last access date, not the time of day. That would be the best evidence you could hope to collect, assuming that everything else goes right.
To see last access dates in the Finder,
- Switch to List view (View → as List (⌘2))
- Show the View Options dialog (View → Show View Options (⌘J))
- Select 'Date Last Opened'
Alternatively, instead of using the Finder, you could use the Terminal to run
to see the Access time of a particular file.
There are some important caveats, though!
First, the act of plugging in the media on your Mac will cause it to be automatically mounted, thus altering the last access time of the top-level directory (and perhaps destroying even more evidence than that). A forensic analysis should require precautions such as mounting the media in read-only mode. Therefore, you would have to suppress the auto-mounting behaviour of OS X, which is not that easy.
Second, your suspected coworker / spy could have taken a similar countermeasure of mounting the media read-only, thus leaving no timestamp as evidence. (There is also no guarantee that the computer that the spy used had its clock set accurately, which would cast doubt on the validity of any timestamp.)
The moral of the story is, if you have any sensitive information to be stored on removable media, encrypt it! The easiest solution would be to use FileVault 2. Note, however, that such encryption would make the USB stick unreadable on any machine other than a Mac.
oa-6,71744 gold badges1414 silver badges3939 bronze badges
200_success200_success43811 gold badge44 silver badges1515 bronze badges
For this the easiest way consists in installing Disk Arbitratorand configuring it so as to only mount any device as read-only.
The
Disk-Arbitrator
menu bar icon should switch to red.Plug in your USB device. There is now no risk that you inadvertantly modify any access time on it.
Let's say that your USB device is mounted as
suspicious_USB
.Open a
Terminal
or xterm
window.Let's say that you are sure that you didn't mount your USB deviceon any computer since 20 days.Within your command line window, run the following commands:This command will display you any file (even hidden ones) that any operating system might have opened within less than 21 days.The output of this command will display you the detailed last access timeof any read or simply touched file or folder. For example this command will show you that a folder was simply opened. THis command will show youthat Spotlight ran on your USB key.
If you find anything, you will know when your USB was read.
If our suspected colleague or attackant is as skilled as to read thisdocument and to understand how to use it, he might have mounted yourUSB device read-only too.Hence he would have left it clean of any access time modification.
In this case I have absolutely no method to show that some filewas read on your USB device :(.
daniel Azuelosdaniel Azuelos8,55522 gold badges3434 silver badges9898 bronze badges
- Open your Console
- Select
system.log
- Type in the following query in the search pane (upper right hand corner): USBMSC
- You will see something like
kernel: USBMSC Identifier (then an alphanumeric string indicating the USB bus address)
- The date and time is shown as well. This will let you know the last time(s) a device was connected to a particular USB bus.
njboot
6,53222 gold badges2222 silver badges5454 bronze badges
For 'any USB device' this is certainly not possible, as the standard is for communication.
For USB flash drives, you might try checking access dates of the individual files (don't count on it, often not used anyway, and your own check may overwrite the dates if you're not careful), or the presence of files you know neither you not your computer could have put there (like thumbs.db or RECYCLED for Windows, .DS_Store or .Trashes for mac).
There is little point in having this feature, in a typical consumer product. Even if it were stored in the device's firmware, it would still be dependent on the host computer's clock.
For USB flash drives, you might try checking access dates of the individual files (don't count on it, often not used anyway, and your own check may overwrite the dates if you're not careful), or the presence of files you know neither you not your computer could have put there (like thumbs.db or RECYCLED for Windows, .DS_Store or .Trashes for mac).
There is little point in having this feature, in a typical consumer product. Even if it were stored in the device's firmware, it would still be dependent on the host computer's clock.
kaaykaay
Use Belarc Advisor.. run it with Admin privileges.. when report is finished search for USB Storage Use in past 30 Days.. there you can see type of USB and when last used..
BioStatBioStat
You must log in to answer this question.
Not the answer you're looking for? Browse other questions tagged usbsecurityfilesystem .
I need to check the list of files accessed in my computer (ex: yesterday on particular time). Is it possible?
Or
I need to check whether anybody accessed my computer (when I left it unlocked) or not for a particular time.
Zanna52.3k1414 gold badges146146 silver badges247247 bronze badges
sudhan89sudhan89
2 Answers
I assume that you don't think that your computer has been totally compromised (to check who has been running sudo commands see
/var/log/auth.log
).It is possible to quickly find files not owned by your user in your home folder and also at what time any files were accessed by using the find
command (use -type f
for files and -type d
for directories). For the following examples, I assume that you are running from the top level of your home folder (just enter cd
to get to it), and that you do not want to search the files in the root directory.1) To find all files NOT owned by your logged on user in your home folder, type:
1.1) To find all files that do not belong to any legitimate user (they should not exist), type:
2) As files on the system have three timestamps called
mtime
(file modification time), ctime
(inode change time and permissions), and atime
(file access time), these can be queried to find out how files have been modified. It is often debated which of these are the best to use, but probably the best way to find out when files were accessed or modified is to use the find
command to search atime
and mtime
, with which you specify days ago, and the additional find
options amin
and mmin
, with which you specify minutes ago. For each of these commands, the same command switches are used: for example,
-atime 1
will match those files that were accessed exactly 1 day ago; to specify more or less than, append a +
or a -
respectively. The examples below may clarify all this (specify -type d
for directories):3) To combine my approaches so far, you could enter the following commands from your home folder:
- Search for files in your home directory not owned by $USER and that was last accessed less than two days ago.
find ~ -type f -atime -2 ! -user $USER
- Search for files in your home directory not owned by $USER and that was last modified less than two days ago.
find ~ -type f -mtime -2 ! -user $USER
user76204
If your computer were to have been locked, then you could check the auth log which notes each login and unlocking event with a date and time.
There is no direct way to know if someone was accessing an unlocked computer, without having a special program installed to track activity. But indirect information can be used to infer access.
Browser history for instance will often tell you what time websites were accessed. Also gnome's recently accessed files will show opened files. You can get to this by going to Unity's Dash Menu and click expand on the recently used files section:
If you need a more definitive list (including files accessed by non-gnome programs) then we would need to write a short script to detect all files with access or write times between the suspected range. Perhaps someone already has written this but I've never heard of it.
Martin Owens -doctormo-Martin Owens -doctormo-
17.9k44 gold badges5454 silver badges9898 bronze badges