tracking usb devices – windows 7 colin cree efs e-forensic services inc. [email protected]
TRANSCRIPT
• Large capacity
• Cheap
• Plug & Play
• Easy to carry / conceal
• Convenient
• Availability of portable apps
USB storage devices
Tracking USB Devices – Windows 7
Page 2
4 GB Thumb drives are selling presently for
as little as $4.49
32 GB models are selling presently for
as little as $19.99
USB storage devices
Tracking USB Devices – Windows 7
Page 3
• Storing illicit data
• Theft of proprietary data
• Distribution of malware
• Running applications
USB Drives have been used for:
Tracking USB Devices – Windows 7
Page 4
Identification
Attribution
Analysis of USB storage devices involves:
Tracking USB Devices – Windows 7
Page 5
• Identifying USB storage devices.
• Tracking USB storage devices on Windows 7.
Collecting artifacts to identify an unknown device.
Determining the usage of a known USB storage device.
Tracking USB Devices – Windows 7
Page 6
• Record what you see.
• Collect Firmware Information
• Record Volume information
Tracking USB Devices – Windows 7
Page 8
Processing USB storage devices.
One black and red external USB storage drive
Tracking USB Devices – Windows 7
Page 9
Take photographs and good notes.
Make:“Buffalo” , Model: HD-PE500U2,Serial: 45508390901080
• iSerial Number
• idVendor
• idProduct
• iManufacturer
• iProduct
Tracking USB Devices – Windows 7
Page 11
Collect Firmware Information
HKLM\SYSTEM\CurrentControlSet\
Control\StorageDevicePolicies
write protect off:
“WriteProtect”=dword:00000000
write protect on:
“WriteProtect”=dword:00000001
Tracking USB Devices – Windows 7
Page 14
Write Blocking – Windows Registry
Write Blocking – Fastbloc SE
Tracking USB Devices – Windows 7
Page 15
Three Modes
1. Write Protected2. Write Blocked3. None
Run GPEDIT.MSC
Computer Configuration
Administrative Templates
Windows Components
▫ AutoPlay Policies
Doubleclick “Turn off Autoplay” and select enable and apply.
Tracking USB Devices – Windows 7
Page 16
Disable Autoplay
Tracking USB Devices – Windows 7
Page 17
Microsoft’s USB Device Viewer
www.ftdichip/Resources/utilities.htm
Usbview.exe
Tracking USB Devices – Windows 7
Page 20
Record Volume serial numberVolume Boot Record
FAT 32 – Offset 67 - 4 bytes
NTFS – Offset 72 - 8 bytes
FAT 16 – Offset 39 – 4 bytes
9885323f
Tracking USB Devices – Windows 7
Page 21
Summary
• Photograph and take notes
• Turn off autorun on examining system
• Write block and insert storage device
• Collect firmware information
• Collect Volume Serial Number
Tracking USB Devices – Windows 7
Page 23
Two Scenarios
• Determining usage of a known USB storage device on a computer system or systems.
• Collecting identifiers of an unknown USB storage device from a computer system.
Tracking USB Devices – Windows 7
Page 24
WINXP
VISTAWIN7ARTIFACTS
Setupapi.log
Restore points
System Registry Hive
Current User registry Hive
Link Files, MRU Lists, Prefetch
$logfile, pagefile, unallocated
Setupapi.dev.log
Event logs, Volume shadow
HKEY_LOCAL_MACHINE (HKLM)
Tracking USB Devices – Windows 7
Page 25
DeviceClasses
USB USBSTOR
STORAGE\VolumeWpdBusEnumRoot\UMB
Tracking USB Devices – Windows 7
Page 28
Last Written TimesTime last USB device of this class was first inserted
An Insertion Date
First Insertion Date
HKLM\System\{CurrentControlSet}\Enum\USBSTOR
Tracking USB Devices – Windows 7
Page 29
• Win XP and earlier• Unique Identifier assigned to device.
USBSTOR – Parent Id Prefix
Tracking USB Devices – Windows 7
Page 32
Last Written TimesTime last USB device of this class was first inserted
WIN7 – Last insertion.(Vista & XP – Time of an insertion.)First Insertion Date
HKLM\SYSTEM\{Current Control Set}\Enum\USB
Tracking USB Devices – Windows 7
Page 33
Summary USB/USBSTOR Vendor ID
Product ID
iSerial Number
Manufacturer
Product
USBSTOR
USB
Insertion Dates
First Insert = Last written LogConf, Device Parameters
Last Insert = Devices unique identifier under USB key
Other interim insertion dates possible.
(Devices unique identifier under USBSTOR key)
Tracking USB Devices – Windows 7
Page 34
Summary USB/USBSTOR
Tracking USB Devices – Windows 7
Page 35
HKLM\SYSTEM\{CurrentControlSet}\Enum\Storage \Volume
An Insertion Date
First Insertion Date
Tracking USB Devices – Windows 7
Page 36
HKLM\SYSTEM\{CurrentControlSet}\Enum\ WpdBusEnumRoot\UMB
“Friendly Name”
Volume LabelOr
Drive Letter
Tracking USB Devices – Windows 7
Page 37
HKLM\System\{CurrentControlSet}\Control\Device Classes
The following Device Class GUID’s can contain information relative to the USB device:{a5dcbf10-6530-11d2-901f-00c04fb951ed}
{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
{6ac27878-a6fa-4155-ba85-f98f491d4f33}
{f33fdc04-d1ac-4e8e-9a30-19bbd4b108ae}
{10497b1b-ba51-44e5-8318-a65c837b6661}
Tracking USB Devices – Windows 7
Page 38
HKLM\System\MountedDevices
• Maps Storage media to Drive letters and Volume GUIDs.
• On Vista and Windows 7 USB devices are mapped using the Unique Identifier from the USBSTOR subkeys.
• On XP the ParentIdPrefix vaklue is used to map USB drives to a drive letter and Volume GUID.
• Volume GUID survive even when a drive letter is reassigned.
Tracking USB Devices – Windows 7
Page 39
HKLM\System\MountedDevices
Unique ID from USBSTOR in mapping to Drive Letter.
Tracking USB Devices – Windows 7
Page 40
HKLM\System\MountedDevices
Unique ID from USBSTOR in mapping to Volume GUID.
_??_USBSTOR#Disk&Ven_FLASH&Prod_Drive_AU_USB20&Rev_8.07#K0903000000000021370&0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}VOL_LABEL_3323739785
Tracking USB Devices – Windows 7
Page 41
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\EMDMgmt
LAST WRITE = First Insertion Date
_??_USBSTOR#Disk&Ven_FLASH&Prod_Drive_AU_USB20&Rev_8.07#K0903000000000021370&0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}VOL_LABEL_3323739785
Tracking USB Devices – Windows 7
Page 43
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\EMDMgmt
_??_USBSTOR#Disk&Ven_FLASH&Prod_Drive_AU_USB20&Rev_8.07#K0903000000000021370&0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}NEW_LABEL_2800047353
WPDBUSENUMROOT#UMB#2&37C186B&0&STORAGE#VOLUME#_??
_USBSTOR#DISK&VEN_FLASH&PROD_DRIVE_AU_USB20&REV_8.07#K0903000000000021370&0#
Tracking USB Devices – Windows 7
Page 44
HKLM\SOFTWARE\Microsoft\Windows Portable Devices\Devices
LAST WRITE = will change on re-format
FriendlyName contains Volume Label or Drive letter.
Tracking USB Devices – Windows 7
Page 45
NTUSER.DAT\Software\Microsoft\Windows\ CurrentVersion\Explorer\MountPoints2
• Contains Volume GUID entries for volumes mounted while profile logged in.
• Last Written = last insertion before a reboot.
• Can assist in attributing the USB device to a User Profile.
Tracking USB Devices – Windows 7
Page 46
NTUSER.DAT\Software\Microsoft\Windows\ CurrentVersion\Explorer\MountPoints2
Tracking USB Devices – Windows 7
Page 47
REGISTRY REVIEWHKLM\System\{Current Control Set}\Enum\USB HKLM\System\{Current Control Set}\Enum\USBSTOR
Vendor ID, Product ID
Manufacturer, Product
iSerial
First Insertion
Last Insertion (Windows 7 only)
Tracking USB Devices – Windows 7
Page 48
REGISTRY REVIEW
Mounted Devices (System hive)
Drive Letter
Volume GUID
MountPoints2 (NTUSER.DAT)
Identify active profile during insertion.
An insertion date. (Win 7)
Last insertion (XP)
Tracking USB Devices – Windows 7
Page 49
Setupapi.log / Setupapi.dev.log
• C:\Windows\Setupapi.log -WinXP
• C:\Windows\inf\Setupapi.dev.log -Win7, Vista
• Provides first insertion date
• Contains enough information to Identify device
• Date is less transient – text based
Click to edit Master text styles
Second level
Third level
▫ Fourth level
· Fifth levelWoanware – USB Device Forensics
www.woanware.co.uk
Tracking USB Devices – Windows 7
Page 51
Woanware USB Device Forensics
Tracking USB Devices – Windows 7
Page 52
Vendor: Ven_FLASHProduct: Prod_Drive_AU_USB20Version: Rev_8.07Serial No: K0903000000000021370
A Closer look at the Output…
Woanware USB Device ForensicsTracking USB Devices – Windows 7
Page 53
EMDMgmt Date/Time: 04/24/12 2:31:50 PM (UTC)EMDMgmt Volume Serial No: 2800047353EMDMgmt Volume Serial No (Hex): A6E554F9EMDMgmt Volume Name: NEW_LABEL
EMDMgmt Date/Time: 04/23/12 5:50:55 PM (UTC)EMDMgmt Volume Serial No: 3323739785EMDMgmt Volume Serial No (Hex): C61C3E89EMDMgmt Volume Name: VOL_LABEL
Woanware USB Device ForensicsTracking USB Devices – Windows 7
Page 54
VID: VID_058F PID: PID_6387ParentIdPrefix: Drive Letter: Volume Name: GUID: 378922d0-8d6c-11e1-aebf-a4badb0193d2
MountPoint: USBSTOR#Disk&Ven_FLASH&Prod_Drive_AU_USB20&Rev_8.07#K0903000000000021370&0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Woanware USB Device ForensicsTracking USB Devices – Windows 7
Page 55
Install Date/Time: 23/04/2012 10:50:53 (Local) (setupapi.dev.log)USBSTOR Date/Time: Tuesday, April 24, 2012 22:35:59 Z (UTC)DeviceClasses Date/Time (53f56307-b6bf-11d0-94f2-00a0c91efb8b): Tuesday, April 24, 2012 22:35:59 Z (UTC)DeviceClasses Date/Time (10497b1b-ba51-44e5-8318-a65c837b6661): Monday, April 23, 2012 17:50:57 Z (UTC)Enum\USB VIDPID Date/Time: Tuesday, April 24, 2012 22:35:59 Z (UTC)MountPoints2 Date/Time: Tuesday, April 24, 2012 22:35:59 Z (UTC) (File: ntuser.dat)
Tracking USB Devices – Windows 7
Page 56
Event Logs
Entries available in Vista, Win7 System Logs
Event ID’s 20001, 20003, 24576, 24577
Tracking USB Devices – Windows 7
Page 59
Volume Shadow Copy : Restore Point
Volume Shadow Copy – Vista, Windows 7
Complete copies of volume including registry, links etc
Restore Point – WinXP
Copies of registry files
Relatively inaccessible to user
Для правки структуры щелкните мышью
Второй уровень структуры
Третий уровень структуры
Четвёртый уровень структуры
Пятый уровень структуры
Шестой уровень структуры
Седьмой уровень структурыClick to edit Master text styles
Second level
Third level
▫ Fourth level
· Fifth level
Keyword SearchVolume Serial Number
• Link Files,
• Prefetch entries indicating executable run from USB
Volume Label
• Link Files,
• MRU lists in registry
iSerial Number
deleted registry strings from USB USBSTOR, MountedDevices, Device Class entries.
Tracking USB Devices – Windows 7
Page 60
Для правки структуры щелкните мышью
Второй уровень структуры
Третий уровень структуры
Четвёртый уровень структуры
Пятый уровень структуры
Шестой уровень структуры
Седьмой уровень структурыClick to edit Master text styles
Second level
Third level
▫ Fourth level
· Fifth level
Thank You
Tracking USB Devices – Windows 7
Page 61
Colin Cree EFS e-Forensic Service Inc.
A special thank you to those in the computer forensic community who share their discoveries in blogs, lists,
papers and books for the benefit of us all!