Kathryn Hedleyπ¨ #DFIR Tool Update Alert π¨
Iβve updated my script that parses USB Connection artifacts from a mounted Windows volume, to include EID 1006 events from the Windows-Partition-Diagnostic log
Includes connect/disconnect times, VSNs & filesystem type
Check it out: https://github.com/khyrenz/parseusbs
I also updated my blog on this tool: https://www.khyrenz.com/post/automated-usb-artefact-parsing-from-the-registry
Side note: while I was researching volume serial numbers & how to parse them, I noticed that some existing tools arenβt parsing the whole VSN for NTFS drives (only show 4 of the 8 bytes). I contacted the authors of those tools & some updates are incoming #DFIRTeamwork. In the meantime, if you see a 4-byte VSN for an NTFS drive just be aware youβre missing 4 bytes π
