Download presentation
Presentation is loading. Please wait.
1
Tracking USB Devices – Windows 7
Colin Cree EFS e-Forensic Services Inc.
2
Availability of portable apps
Tracking USB Devices – Windows 7 USB storage devices Large capacity Cheap Plug & Play Easy to carry / conceal Convenient Availability of portable apps
3
USB storage devices Tracking USB Devices – Windows 7
4 GB Thumb drives are selling presently for as little as $ GB models are selling presently for as little as $19.99
4
USB Drives have been used for:
Tracking USB Devices – Windows 7 USB Drives have been used for: Storing illicit data Theft of proprietary data Distribution of malware Running applications The popularity and usefulness of USB storage has led to wide usage and consequently the need to investigate such usage.
5
Analysis of USB storage devices involves:
Tracking USB Devices – Windows 7 Analysis of USB storage devices involves: Identification Attribution Investigations of USB devices will often involve: Identification identifying that a USB device was used on a system. Description of the USB device and its properties. Creating a timeline of its usage. Attribution Trying to attribute their use to a specific user. This presentation will provide the investigator with the knowledge required to accurately identify USB artifacts on a Windows system and investigate USB storage devices.
6
Tracking USB Devices – Windows 7
Identifying USB storage devices. Tracking USB storage devices on Windows 7. Collecting artifacts to identify an unknown device. Determining the usage of a known USB storage device. Scenario’s I have seen over the years beyond simply analyzing the content on a USB key include; Identifying the attributes of a found USB storage device . Identifying that a USB storage device was used on a computer and detailing the artifacts of the device. Providing a timeline related to the use of a USB storage device. Identifying the computers that a known USB storage device has been used on.
7
Processing an unknown USB storage device.
Tracking USB Devices – Windows 7 Processing an unknown USB storage device. How do we sufficiently identify a USB storage key?
8
Processing USB storage devices.
Tracking USB Devices – Windows 7 Processing USB storage devices. Record what you see. Collect Firmware Information Record Volume information
9
Take photographs and good notes.
Tracking USB Devices – Windows 7 Take photographs and good notes. One black and red external USB storage drive Make:“Buffalo” , Model: HD-PE500U2, Serial: In all aspects of investigative work recording everything you see and do is critical. I have seen and experienced myself the effects of poor record keeping on the outcome of a case. Good record keeping starts with taking notes and pictures to adequately describe the item or scene you are working with. It is really difficult at the beginning of an investigation to determine which little piece of information may become critical to a positive outcome. Is there a difference between “the USB storage device was found during the search of the family computer desk……” “the USB storage device was found in the bottom left drawer of the family computer desk. The drawer was locked and Mr. Smith had the only key….” As basic as this sounds I have seen many glaring examples of inadequate notes that not only fail to provide adequate information in a hearing but may cause the court to give less weight to the officers overall testimony. Always take good notes.
10
Collection of USB storage device firmware fields
Tracking USB Devices – Windows 7 Collection of USB storage device firmware fields
11
Collect Firmware Information
Tracking USB Devices – Windows 7 Collect Firmware Information iSerial Number idVendor idProduct iManufacturer iProduct The firmware of the USB device can provide information that uniquely identifies the device. This information includes an iSerial number which is unique to the device. Not all USB storage devices will have iSerial numbers, although it is getting to be a rare occasion when they do not. These fields are used to populate identifiers for the USB device in the Windows registry when the USB storage device is inserted. Investigators can use this i-serial number to confirm that a known device was inserted in a system or gather identifiers for unknown USB devices from a system.
12
Use Hardware or software write blocking
Tracking USB Devices – Windows 7 Write Blocking Use Hardware or software write blocking The golden rule in examining any evidence is to preserve it’s condition. The steps you take to collect the firmware information need to be designed to have the least impact on the media. This is accomplished through write blocking. Software and hardware write blocking is used to prevent operating systems and applications from writing any data to the blocked media U3 Devices – I have had issues using Hardware write blockers with these devices. With U3 devices a system partition loaded as a CD is mounted first and then a storage partition is accessible. It appears hardware write blockers interfere with this process rendering the device inaccessible. It may not be readily apparent that you are dealing with a U3 USB storage device. If you are unable to image a USB storage device through a hardware write blocker, always try a software write blocker. This picture displays a Wiebetech USB Write blocker which comes with software to read the firmware fields from the device. At the time of writing this device will not process U3 USB storage devices.
13
Use Hardware or Software Write Blocking
Tracking USB Devices – Windows 7 Write Blocking Use Hardware or Software Write Blocking The Tableau Forensic USB Bridge is displayed here. This device has a menu button that allows you to page through the firmware settings on the attached USB Device. The iSerial number is seen here. At the time of writing this device was unable to allow processing of a U3 USB storage Device.
14
Write Blocking – Windows Registry
Tracking USB Devices – Windows 7 Write Blocking – Windows Registry HKLM\SYSTEM\CurrentControlSet\ Control\StorageDevicePolicies write protect off: “WriteProtect”=dword: write protect on: “WriteProtect”=dword: To write block all USB attached devices through the Windows registry: use Regedit to navigate to HKLM\SYSTEM\CurrentControlSet\Control. Locate or create “StorageDevicePolicies Set the value name “WriteProtect” to to turn on USB write protection. As this is a software write block dependant on a registry entry it is advisable to test that the entry has been applied using a test USB storage drive. Be aware that all USB storage devices will be write protected, therefore if you are imaging the USB device, plan ahead to have internal or network storage available as you will be unable to image to USB attached storage.
15
Write Blocking – Fastbloc SE
Tracking USB Devices – Windows 7 Write Blocking – Fastbloc SE Three Modes Write Protected Write Blocked None Encase includes Fastbloc SE, a software based Write Blocker. Fastbloc SE is initiated from the tools menu. It has three modes: Write Protected – Windows will see the device as write protected and any attempts to write to it will result in errors. Write Blocked – Fastbloc intercepts the traffic from the plugged in device. Writes to the drive are cached locally and do not make any changes to the drive. None – no write protection. Used for Restoring a disk through Fastbloc SE which allows direct access to the disk.
16
Run GPEDIT.MSC Disable Autoplay Computer Configuration
Tracking USB Devices – Windows 7 Disable Autoplay Run GPEDIT.MSC Computer Configuration Administrative Templates Windows Components AutoPlay Policies Doubleclick “Turn off Autoplay” and select enable and apply. USB devices can contain applications set to autorun. There is a number of malware utilities capable of running from a USB device. Before inserting an unknown USB device in a Windows system you should ensure that autorun is turned off. Pre-Vista: GPEDIT.MSC AdministrativeTemplates\System “Turn off Autoplay” – set to enabled. AdministrativeTemplates\System\removable Storage Access -under this setting you can deny reading or writing on removable disks
17
Microsoft’s USB Device Viewer
Tracking USB Devices – Windows 7 Usbview.exe Microsoft’s USB Device Viewer Microsoft’s USB Device Viewer enumerates all USB devices and provides access to the USB storage Devices Firmware. A version for Linux is available from this site as well.
18
Microsoft’s USB Device Viewer
Tracking USB Devices – Windows 7 Microsoft’s USB Device Viewer The fields of interest are: idVendor: A number assigned to identify the vendor IE “0411” idProduct: A number assigned to this product/model IE “0157”. iManufacturer: Friendly description of the manufacturer IE “Buffalo“ iProduct: Friendly description of the product IE “HD-PEU2” iSerialNumber: A unique serial number for the device
19
Tracking USB Devices – Windows 7
Wiebetech has a device information viewer it distributes with its hardware write blocker.
20
Record Volume serial number
Tracking USB Devices – Windows 7 Record Volume serial number Volume Boot Record FAT 32 – Offset bytes NTFS – Offset bytes FAT 16 – Offset 39 – 4 bytes f The Volume Boot Record (VBR) contains a volume serial number. On FAT32 volumes it can be found at offset 67 and is 4 bytes in length. The data is recorded in Little Endian, that is to say least significant bit first therefore the bytes have to be flipped when reported. In the example we see the bytes 3F which indicate a volume serial number of f . On NTFS volumes the serial number is found at offset 72 and is 8 bytes in length. Again the bytes are stored Little Endian and need to be recorded right to left. The value in recording the volume serial number is that it is often used by the operating system to reference the volume and therefore may be found on the operating system confirming the volume was mounted. The Volume Serial number is often found in link files and prefetch entries for applications launched from the USB Flash Drive. Volume Serial Numbers can be obtained manually by examining the appropriate offsets within the VBR, or Encase can be used to automate the process. At the entries tab highlight the volume (C) in the table pane and switch the view pane to report view. EnCase will interpret the VBR information for you. To Bookmark Volume information you can also select the volume in the tree pane, right click and select “Bookmark Folder Structure”. Activate the selection box for “Include Device Information”
21
Summary Photograph and take notes Turn off autorun on examining system
Tracking USB Devices – Windows 7 Summary Photograph and take notes Turn off autorun on examining system Write block and insert storage device Collect firmware information Collect Volume Serial Number To summarize, we have: Photographed and made notes describing the device. Collected the firmware information from the device uniquely identifying it. This includes the iSerial number, manufacturer identifiers and product model identifiers. Recorded the volume serial number assigned to the volume contained on the device. Depending on the circumstances the processing of a USB storage device would include creating a forensic image of its contents.
22
Windows 7 USB artifacts Tracking USB Devices – Windows 7
It is important to note that these artifacts are behaviors that I observed during testing. Updates to Windows 7 or actions of Applications on any Windows platform has the potential to change the behavior. TEST TEST TEST….
23
Tracking USB Devices – Windows 7
Two Scenarios Determining usage of a known USB storage device on a computer system or systems. Collecting identifiers of an unknown USB storage device from a computer system. There are two general scenarios that may result in the need to track a USB storage keys usage on computer systems. You may have an identified storage key in hand and need to know if it was used on a computer system or network. You may have a computer incident that results in your need to identify if a USB storage key was in use and if so collect artifacts to assist in identifying the USB key.
24
ARTIFACTS WINXP VISTA WIN7 Setupapi.log Restore points
Tracking USB Devices – Windows 7 Setupapi.log Restore points System Registry Hive Current User registry Hive Link Files, MRU Lists, Prefetch $logfile, pagefile, unallocated Setupapi.dev.log Event logs, Volume shadow WINXP ARTIFACTS VISTA WIN7 There are a number of operating system artifacts created by the insertion and use of USB storage in a Windows system. There are some differences dependant on the version of Windows you are examining. Artifacts listed within the Blue rectangle exist on Windows XP systems while those listed within the red rectangle exist on a Windows Vista or Windows 7 system.
25
HKEY_LOCAL_MACHINE (HKLM)
Tracking USB Devices – Windows 7 HKEY_LOCAL_MACHINE (HKLM) DeviceClasses USB USBSTOR STORAGE\Volume WpdBusEnumRoot\UMB When a USB key is inserted in a Windows system, entries are created within the current control set of the system registry hive at Enum\USB and Enum\USBSTOR. Parameters Windows requires to mount and use the device are stored hear. The Mounted devices key will also contain 2 entries for the device. One that lists the Drive letter the device was assigned and one listing the devices volume GUID. Entries related to the USB device will also appear below: {CurrentControlSet}\Control\DeviceClasses {CurrentControlSet}\Enum\STORAGE\Volume {CurrentControlSet}\ \Enum\WpdBusEnumRoot\UMB
26
HKLM\System\ {CurrentControlSet}\ \Enum\USBSTOR
Tracking USB Devices – Windows 7 HKLM\System\ {CurrentControlSet}\ \Enum\USBSTOR The ENUM sub-key contains a database of all the computer devices recognized by Windows. The USBSTOR subkey contains a list of all the USB Mass Storage devices connected to the system. This will include USB keys, USB portable hard disks, cameras, IPOD’s etc.
27
HKLM\System\{CurrentControlSet}\Enum\USBSTOR
Tracking USB Devices – Windows 7 HKLM\System\{CurrentControlSet}\Enum\USBSTOR HKLM\SYSTEM\{Current Control Set}\Enum\USBSTOR USBSTOR key will only list USB storage devices. Devices are listed by a Device class ID related to their iManufacturer and iProduct. Each individual USB storage device is represented by a Unique Instance ID comprised of the devices iSerial number and appending “&#”. If a device does not have an iserialnumber then Windows will create an identifier for it in the format of 12 digits with an “&” in the 2nd and 11th position IE “7&34a82c26&0”.
28
HKLM\System\{CurrentControlSet}\Enum\USBSTOR
Tracking USB Devices – Windows 7 HKLM\System\{CurrentControlSet}\Enum\USBSTOR Last Written Times Time last USB device of this class was first inserted An Insertion Date First Insertion Date Windows Registry Keys have Last Written Dates. The following Behaviors were noted during the testing I performed: The USBSTOR key structure is very similar to the USB key structure. When it comes to the date values there can be a difference in the values recorded for the devices unique identifier in Windows 7 and Vista. The Last Written time of the Device Class ID reflects the time the last unique device of this class inserted in the system was first inserted. The Last Written time of the Unique Instance ID may reflect the time the device was first inserted, last inserted or an insertion somewhere in between. The Last Written time of the Device Parameters, Properties and LogConf subfolders indicates the first time the device was added to the system.
29
USBSTOR – Parent Id Prefix Win XP and earlier
Tracking USB Devices – Windows 7 USBSTOR – Parent Id Prefix Win XP and earlier Unique Identifier assigned to device. WINDOWS 7 and Vista use the Unique identifier listed for the device in USBSTOR, essentially the devices iSerial number with “&{#}” appended. On Windows XP systems USB storage devices The USBSTOR entry has a value “ParentIdPrefix” assigned to each USB device. This value was used as the unique Identifier.
30
HKLM\System\ {CurrentControlSet}\Enum\USB
Tracking USB Devices – Windows 7 HKLM\System\ {CurrentControlSet}\Enum\USB The ENUM sub-key contains a database of all the computer devices recognized by Windows. The USB subkey contains a list of all the USB devices connected to the system.
31
HKLM\SYSTEM\{Current Control Set}\Enum\USB
Tracking USB Devices – Windows 7 HKLM\SYSTEM\{Current Control Set}\Enum\USB HKLM\SYSTEM\{Current Control Set}\Enum\USB When a USB device is added to the system, Windows queries the devices firmware gathering sufficient information to classify the device and load appropriate drivers. There is an entry created to represent the type of device added to the system. It takes the form “Vid_{id vendor#}&Pid_{id Product#}. The values in curly brackets are obtained from, in this case, the firmware of the USB Flash Drive. Essentially the entry indicates a class of device based on vendor and product. A Sub Key is created using the iSerialNumber from the firmware which uniquely identifies the specific USB Device. An iSerialnumber is optional although almost always present. If a device does not have an iserialnumber then Windows will create an identifier for it in the format of 12 digits with an “&” in the 2nd and 11th position IE “7&34a82c26&0”. From the entries populating the USB subkey you can determine the vendor, product and the serial number for a USB storage Drive that had been attached to the system. Should a second USB flash drive of the same make and model be connected to the computer then another entry would appear below the class id entry, and would again reflect the iSerial number of the USB Flash drive plugged in. -While this location is of value it will contain entries for all USB devices connected to the system.
32
HKLM\SYSTEM\{Current Control Set}\Enum\USB
Tracking USB Devices – Windows 7 HKLM\SYSTEM\{Current Control Set}\Enum\USB Last Written Times Time last USB device of this class was first inserted WIN7 – Last insertion. (Vista & XP – Time of an insertion.) First Insertion Date Windows Registry Keys have Last Written Dates. The following Behaviors were noted during the testing I performed: “VID_1307&PID_0163” – Essentially a class identifier. This entry is specific to a make and model of USB Device, a class id. The Last Written date will reflect the time that the last USB Device of that make and model was FIRST inserted into the computer. The Last Written date does not update if you repeatedly insert the same USB flash drive. “ ” – A unique device ID. This entry represents a unique USB Flash Drive. In Windows 7 it’s Last Written value will reflect the last time the device was inserted. In earlier versions of Windows this value did not update consistently on every insert and therefore supplied an insertion time, not necessarily the last one, for example: (WINXP) When USB devices were inserted repeatedly without a reboot in between insertions, the last written date did not update on insertion. When insertions were separated by a reboot then the last written time for this key updated to reflect the time of the first insertion after a reboot. (Vista) Vista records the USB port that the USB device was inserted into under the value “LocationInformation” which populates below the device’s unique ID. This causes the last written date to be updated. Sub-Folders: Device Parameters, LogConf and Properties. In my testing these folders have consistently held the first insertion date of the device. This value can be corroborated with Setupapi.dev.log and other locations in the registry.
33
Summary USB/USBSTOR USB USBSTOR Vendor ID Product ID iSerial Number
Tracking USB Devices – Windows 7 Summary USB/USBSTOR Vendor ID Product ID iSerial Number Manufacturer Product USB USBSTOR From a review of the contents of the USB and USBSTOR key we can collect enough artifacts to uniquely identify a USB storage device that was connected to the system.
34
Summary USB/USBSTOR Insertion Dates
Tracking USB Devices – Windows 7 Summary USB/USBSTOR Insertion Dates First Insert = Last written LogConf, Device Parameters Last Insert = Devices unique identifier under USB key Other interim insertion dates possible. (Devices unique identifier under USBSTOR key) Reviewing the contents of the USB and USBSTOR keys on a Windows 7 system can allow us to identify the first and last time a specific device has been inserted in the system. On occasion we will also be able to identify an interim date indicating an insertion date after a reboot. On previous versions of Windows the only consistent date value was the first insertion date as per the subfolders of the unique device ID. The unique ID for the device appearing under both the USB and USBSTOR keys do not consistently display a last insert date but rather can only be said to display an insertion date.
35
HKLM\SYSTEM\{CurrentControlSet}\Enum\Storage \Volume
Tracking USB Devices – Windows 7 HKLM\SYSTEM\{CurrentControlSet}\Enum\Storage \Volume An Insertion Date First Insertion Date Windows Registry Keys have Last Written Dates. The following Behaviors were noted during the testing I performed: The Storage\Volume key structure holds an entry for each volume mounted on the system. In the case of USB attached removable media, the entry contains the devices Unique Identifier as recorded in the USBSTOR key. The dates at this location appear to track along with the dates in the USBSTOR key. This location may be helpful in tracking USB attached hard disks that contain more than one volume.
36
HKLM\SYSTEM\{CurrentControlSet}\Enum\ WpdBusEnumRoot\UMB
Tracking USB Devices – Windows 7 HKLM\SYSTEM\{CurrentControlSet}\Enum\ WpdBusEnumRoot\UMB “Friendly Name” Volume Label Or Drive Letter WpdBusEnumRoot\UMB contains data related to the attached USB key of interest. If the device has a volume label then the value “Friendly Name” may contain it. In the absence of a volume label then this value will reflect the Drive Letter assignment. Further testing is required to establish when or if this information is updated on subsequent insertions. The last written date on Device Parameters is updated on each insertion of the USB key.
37
HKLM\System\{CurrentControlSet}\Control\Device Classes
Tracking USB Devices – Windows 7 HKLM\System\{CurrentControlSet}\Control\Device Classes The following Device Class GUID’s can contain information relative to the USB device: {a5dcbf d2-901f-00c04fb951ed} {53f56307-b6bf-11d0-94f2-00a0c91efb8b} {53f5630d-b6bf-11d0-94f2-00a0c91efb8b} {6ac27878-a6fa-4155-ba85-f98f491d4f33} {f33fdc04-d1ac-4e8e-9a30-19bbd4b108ae} {10497b1b-ba51-44e a65c837b6661} This material is included to completely cover the artifacts. These four GUIDS will contain children representing each USB storage device plugged into the system. In some cases the Unique Device Identifier as listed under system\{current control set}\enum\USB\{device class id}\ will be used IE the device serial number; For example: ##?#USB#Vid_1307&Pid_0163# #{a5dcbf d2-901f-00c04fb951ed} In other cases the subkey will contain the Unique Device ID found under “system\{current control set}\enum\USBSTOR\{device class id}\”. For Example: ##?#USBSTOR#Disk&Ven_&Prod_&Rev_0.00# &0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} In earlier versions of windows, entries will contain the ParentIDPrefix of the device. For example: ##?#STORAGE#RemovableMedia#7&1b41f81&0&RM# {53f5630d-b6bf-11d0-94f2-00a0c91efb8b} The Last Written dates of the first 5 keys follow the same pattern as we have already seen for the USBSTOR unique device id entries. The dates will reflect either the initial insert or the first insertion date after a system boot. No new added information is found here, only confirmation. The device related subkey at DeviceClasse {10497b1b-ba51-44e a65c837b6661} during my limited testing in Win7 retains the first insertion date as it’s last written value.
38
HKLM\System\MountedDevices
Tracking USB Devices – Windows 7 HKLM\System\MountedDevices Maps Storage media to Drive letters and Volume GUIDs. On Vista and Windows 7 USB devices are mapped using the Unique Identifier from the USBSTOR subkeys. On XP the ParentIdPrefix vaklue is used to map USB drives to a drive letter and Volume GUID. Volume GUID survive even when a drive letter is reassigned. The mounted devices registry key lists all the storage devices attached to the system, mapping them to an assigned drive letter and a volume GUID. Windows XP - The ParentIdPrefix value listed for the device in USBSTOR is used to map the device to a drive letter and a volume GUID. VISTA, WIN7 – The Unique Instance ID listed for the device in USBSTOR is used to map the device to a drive letter and volume GUID. (iserial + “&{#}”) Windows commonly will reuse the drive letter when it is available. If you plug a USB key in, later remove it and plug in yet another, it is likely the two keys will have been assigned the same drive letter. The volume GUID entry, for example “\??\Volume{69cfabcd-3bca-11de-8eab-806d f}” will survive after the key is removed and will still relate the GUID to the ParentIdPrefix or Unique Instance ID in the USBSTOR. With a bit of extra work it still may be possible to link the physical USB key to a drive letter. The Volume GUID is necessary during examination of the NTUSER.DAT files for further evidence related to the USB storage device.
39
HKLM\System\MountedDevices
Tracking USB Devices – Windows 7 HKLM\System\MountedDevices Unique ID from USBSTOR in mapping to Drive Letter. In the illustration we see a Mounted devices entry for the drive letter H: and the Unique Identifier of a USB key in the value.
40
HKLM\System\MountedDevices
Tracking USB Devices – Windows 7 HKLM\System\MountedDevices Unique ID from USBSTOR in mapping to Volume GUID. In the illustration we see a Mounted devices entry for the Volume GUID 75489d8a-a5a6-11de-aa2d-0024e829c6bd and the Unique Identifier of a USB key in the value.
41
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\EMDMgmt
Tracking USB Devices – Windows 7 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\EMDMgmt _??_USBSTOR#Disk&Ven_FLASH&Prod_Drive_AU_USB20&Rev_8.07#K &0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}VOL_LABEL_ LAST WRITE = First Insertion Date EMDMgmt is a subkey that stores information related to the readyboost functionality in Windows. Readyboost allows you to use a USB storage device as system memory, increasing the physical memory available. The key found here contains the device class identifier (RED) and the USB Devices Unique identifier (YELLOW) as found in the USBSTOR key. In addition the key may or may not contain a volume label from the device (PINK) and will contain the volume serial number as found in the devices Volume Boot Record, expressed as a decimal value. In the tests I performed, the last write time attached to this key did not update with re-insertions and therefore records the first insertion. **** Thanks to Brad Reninger, who’s post lead me to this key.
42
Vol SN C61C3E89 = Decimal 3323739785 Tracking USB Devices – Windows 7
On the previous slide we saw that the EMDMgmt key indicated that a USB drive had been plugged in that had the volume label “VOL_LABEL” and the volume serial number expressed as a decimal value We see in this slide the FAT 16 Volume Boot Record of the USB key. Setting a Windows calculator to the programming view can convert Hex to Decimal or Decimal to hex and shows the relationship as C61C3E89 =
43
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\EMDMgmt
Tracking USB Devices – Windows 7 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\EMDMgmt _??_USBSTOR#Disk&Ven_FLASH&Prod_Drive_AU_USB20&Rev_8.07#K &0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}VOL_LABEL_ _??_USBSTOR#Disk&Ven_FLASH&Prod_Drive_AU_USB20&Rev_8.07#K &0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}NEW_LABEL_ You find 2 entries under EMDMgmt as shown in this slide. What happened? Should a USB key be reformatted and then re-inserted, a new entry will appear below the EMDMgmt key showing the new information. The old entry will not be deleted. Therefore you have a record of previous volume information for a USB Device. Of the artifacts examined, this is the only one that clearly shows a reformat of a USB drive.
44
HKLM\SOFTWARE\Microsoft\Windows Portable Devices\Devices
Tracking USB Devices – Windows 7 HKLM\SOFTWARE\Microsoft\Windows Portable Devices\Devices WPDBUSENUMROOT#UMB#2&37C186B&0&STORAGE#VOLUME#_??_USBSTOR#DISK&VEN_FLASH&PROD_DRIVE_AU_USB20&REV_8.07#K &0# FriendlyName contains Volume Label or Drive letter. LAST WRITE = will change on re-format
45
Tracking USB Devices – Windows 7
NTUSER.DAT\Software\Microsoft\Windows\ CurrentVersion\Explorer\MountPoints2 Contains Volume GUID entries for volumes mounted while profile logged in. Last Written = last insertion before a reboot. Can assist in attributing the USB device to a User Profile. NTUSER.DAT In the MountPoints2 key you will find a list of Volumes identified by GUID’s that were mounted while the users profile was active. In review: Note the Identifier (ParentIdPrefix or Unique instance ID) for the storage devices listed in the USBSTOR. Review system\MountedDevices to associate each Identifier to a volume GUID and drive letter. Review the MountPoints2 registry keys for each profile to locate the relevant GUID. Pre Vista You may also see Drive letters listed here. A review of the GUID’s Last written date in relation to any listed drive letters may assist in identifying an associated drive letter. I have found this to be hit and miss. I have had one occasion during testing wherein a volume was mounted repeatedly and assigned “E”, however “E” did not appear in the Mountpoints2 whilst the associated GUID did. Windows 7 The Last Written value is updated whenever the same device is inserted with exception of the first insert after a reboot. Therefore the last written date here will relate to either the last time the device was inserted OR the last time it was inserted before a reboot. Prior to Vista: The Last Written times associated with each of the GUID’s indicates the last time that the associated USB device was plugged into the system while the profile was active. This is consistent regardless if the computer was Rebooted or not. *******Logged in***************** tested on Windows 7. – if you leave a user profile passively logged in and then log in as a different user, any devices you insert may populate this location for both profiles.
46
Tracking USB Devices – Windows 7
NTUSER.DAT\Software\Microsoft\Windows\ CurrentVersion\Explorer\MountPoints2 We are looking at the Mountpionts2 key in the NTUSER.DAT file for profile “Colin”. We can see our GUID, {75489d8a-a5a6-11de-aa2d-0024e829c6bd} which is associated to our Dell USB key. We also see a last Written date of 10/25/09 07:10:46AM, which in this case was the last time the USB device was attached while this profile was active. The examiner would need to review this key for every profile to confirm that this was the only profile the USB key was used with. WINDOWS 7 Comparison with the last written value of the devices Unique Identifier under enum\usb will confirm if this is indicating the last insert or the last insert prior to a reboot. WIN XP This is the last time the device was inserted into the system while the profile was active.
47
Tracking USB Devices – Windows 7
REGISTRY REVIEW HKLM\System\{Current Control Set}\Enum\USB HKLM\System\{Current Control Set}\Enum\USBSTOR Vendor ID, Product ID Manufacturer, Product iSerial First Insertion Last Insertion (Windows 7 only) Vendor ID, Product ID = ENUM\USB {device class identifier} Manufacturer, Product = ENUM\USBSTOR {device class identifier} iSerial = ENUM\USB {Unique device identifier} First Insertion = USB and USBSTORE {dev identifier subfolders Last Written} Last Insertion (Win 7 only) = ENUM\USB {Unique device identifier Last Written}
48
REGISTRY REVIEW Mounted Devices (System hive)
Tracking USB Devices – Windows 7 REGISTRY REVIEW Mounted Devices (System hive) Drive Letter Volume GUID MountPoints2 (NTUSER.DAT) Identify active profile during insertion. An insertion date. (Win 7) Last insertion (XP)
49
Setupapi.log / Setupapi.dev.log
Tracking USB Devices – Windows 7 Setupapi.log / Setupapi.dev.log C:\Windows\Setupapi.log -WinXP C:\Windows\inf\Setupapi.dev.log -Win7, Vista Provides first insertion date Contains enough information to Identify device Date is less transient – text based Setupapi.log (WINXP) or Setupapi.dev.log (Vista Win7) is updated as Windows locates and loads the appropriate drivers for the USB storage device. The log entry is dated and therefore provides another source for determining the first time a USB removable storage device was inserted in the system. The log entries will provide vendor ID, Product ID, the unique instance ID and the parent ID prefix for the device. Again the Unique instance ID incorporates the USB devices iSerial number in most cases. Since the Setupapi.log is a text file it is not subject to some of the concerns related to the last written dates on registry keys.
50
C:\Windows\inf\Setupapi.dev.log Windows 7
Tracking USB Devices – Windows 7 C:\Windows\inf\Setupapi.dev.log Windows 7 Sample from a windows 7 box. The log was parsed using Mandiant’s freeware tool “Highlighter”. This log had over lines.
51
Woanware – USB Device Forensics www.woanware.co.uk
Tracking USB Devices – Windows 7 Woanware – USB Device Forensics Woanware USB Device Forensics is one of the software solutions I have looked at. It ‘s latest version collects all the date fields and information we have talked about with just a few clicks of the mouse
52
Woanware USB Device Forensics
Tracking USB Devices – Windows 7 Woanware USB Device Forensics A Closer look at the Output… Vendor: Ven_FLASH Product: Prod_Drive_AU_USB20 Version: Rev_8.07 Serial No: K A closer look at the output: Device specific descriptors.
53
Woanware USB Device Forensics
Tracking USB Devices – Windows 7 Woanware USB Device Forensics EMDMgmt Date/Time: 04/24/12 2:31:50 PM (UTC) EMDMgmt Volume Serial No: EMDMgmt Volume Serial No (Hex): A6E554F9 EMDMgmt Volume Name: NEW_LABEL EMDMgmt Date/Time: 04/23/12 5:50:55 PM (UTC) EMDMgmt Volume Serial No: EMDMgmt Volume Serial No (Hex): C61C3E89 EMDMgmt Volume Name: VOL_LABEL A closer look at the output: The tool collects the data from the EMDMgmt key, recognizes the device is the same and reports both sets of volume information along with the last written dates. In my testing the last written dates indicate the first time the device was plugged in with the specific volume information as shown. In this case April at 5:50:55 PM UTC the device was inserted with the Volume serial number of and volume label of VOL_LABEL. USB Device Forensics automatically converts the volume serial number to hex and reports the value as C61C3E89. On April at 2:31:50 PM (UTC) the device was re-inserted but now has a new Volume serial number reported as or Hex C61C3E89 and a new volume label “NEW_LABEL”. This tells us that the device was reformatted sometime between these two dates. This information will be vital in connecting link files and other logs to this particular USB device.
54
Woanware USB Device Forensics
Tracking USB Devices – Windows 7 Woanware USB Device Forensics VID: VID_058F PID: PID_6387 ParentIdPrefix: Drive Letter: Volume Name: GUID: d0-8d6c-11e1-aebf-a4badb0193d2 MountPoint: USBSTOR#Disk&Ven_FLASH&Prod_Drive_AU_USB20&Rev_8.07#K &0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} A closer look at the output The tool reports vendor and product ID numbers, drive letter if still available, volume guid.
55
Woanware USB Device Forensics
Tracking USB Devices – Windows 7 Woanware USB Device Forensics Install Date/Time: 23/04/ :50:53 (Local) (setupapi.dev.log) USBSTOR Date/Time: Tuesday, April 24, :35:59 Z (UTC) DeviceClasses Date/Time (53f56307-b6bf-11d0-94f2-00a0c91efb8b): Tuesday, April 24, :35:59 Z (UTC) DeviceClasses Date/Time (10497b1b-ba51-44e a65c837b6661): Monday, April 23, :50:57 Z (UTC) Enum\USB VIDPID Date/Time: Tuesday, April 24, :35:59 Z (UTC) MountPoints2 Date/Time: Tuesday, April 24, :35:59 Z (UTC) (File: ntuser.dat) A closer look at the output Install Date/Time: 23/04/ :50:53 (Local) this is reported from the Setupapi.dev.log and is reported in local time based on the time setting on the computer it was found on. USBSTOR Date/Time: Tuesday, April 24, :35:59 Z (UTC) –This time is taken from the Unique identifier for the USB device within USBSTOR. DeviceClasses Date/Time (53f56307-b6bf-11d0-94f2-00a0c91efb8b): Tuesday, April 24, :35:59 Z (UTC) – this time should be consistent with USBSTOR reported time. DeviceClasses Date/Time (10497b1b-ba51-44e a65c837b6661): Monday, April 23, :50:57 Z (UTC) – This time is the first time the USB Device was plugged in and should be the same as the time reported in Setupapi.dev.log ( within seconds that is!). Enum\USB VIDPID Date/Time: Tuesday, April 24, :35:59 Z (UTC) – This is the last time the USB device was plugged in. MountPoints2 Date/Time: Tuesday, April 24, :35:59 Z (UTC) (File: ntuser.dat) –This is the last time the USB key was plugged in before a reboot
56
Tracking USB Devices – Windows 7
Event Logs Entries available in Vista, Win7 System Logs Event ID’s 20001, 20003, 24576, 24577
57
Tracking USB Devices – Windows 7
Event Logs
58
Link Files Tracking USB Devices – Windows 7
The screenshot depicts link file DSC01081.lnk which was created in the users recent folder when he accessed DSC01081.jpg on a USB thumb drive. In addition to the link files own date fields which indicate an access to the original file, the link file contains: The date fields of the original file at offset 28 for a length of 24. (Created, Accessed, Last Written) The full path to the target of the link The volume label precedes the full path to the target file. The volume serial number can be located in the link file by first locating the volume label. This will be preceded by 4 bytes HEX The four bytes prior to the 10 make up the volume serial number in Little Endian.
59
Volume Shadow Copy : Restore Point
Tracking USB Devices – Windows 7 Volume Shadow Copy : Restore Point Volume Shadow Copy – Vista, Windows 7 Complete copies of volume including registry, links etc Restore Point – WinXP Copies of registry files Relatively inaccessible to user Restore points are created automatically by the system at set points in time. They can also be made manually. The restore points contain backup copies of the registry files. This allows an analyst to mount the backup registry files and review the keys of interest at different points in time. Due to the nature of the keys we reviewed today this functionality could prove vital in determining assigned drive letters and further USB insertion dates. Volume Shadow copy is available on all flavors of VISTA, Windows 7. Once again its relatively obscure. Users pay little attention to them. Shadow copy allows you to revert files, Folders, Volumes to earlier date and includes registry files. Requires access to the original hard disk.
60
Tracking USB Devices – Windows 7
Keyword Search Volume Serial Number Link Files, Prefetch entries indicating executable run from USB Volume Label MRU lists in registry iSerial Number deleted registry strings from USB USBSTOR, MountedDevices, Device Class entries. Keyword searches can locate useful artifacts fairly quickly. The keywords you use are going to depend on what end of the problem you are approaching from. If you have a suspect USB key and you are trying to link it to the computer the volume serial, volume label and iserial number are particularly useful. Remember that encase shows you the volume serial after its been converted from little Endian, as do most utilities. To search the hard disk for the volume serial you need to convert the bytes back to little endian and use a grep expression. IE: Volume Serial “4D66-890C” or “4D C” or “4D66890C” would be expressed as a grep keyword in encase as \x0C\x89\x66\x4D.
61
Tracking USB Devices – Windows 7
Thank You Colin Cree EFS e-Forensic Service Inc. A special thank you to those in the computer forensic community who share their discoveries in blogs, lists, papers and books for the benefit of us all!
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.