Tracking USB Devices – Windows 7 Colin Cree EFS e-Forensic Services Inc. [email protected].

Tracking USB Devices – Windows 7

Colin Cree EFS e-Forensic Services Inc.

[email protected]

• Large capacity

• Cheap

• Plug & Play

• Easy to carry / conceal

• Convenient

• Availability of portable apps

USB storage devices


4 GB Thumb drives are selling presently for

as little as $4.49

32 GB models are selling presently for

as little as $19.99

USB storage devices


• Storing illicit data

• Theft of proprietary data

• Distribution of malware

• Running applications

USB Drives have been used for:


Identification

Attribution

Analysis of USB storage devices involves:


• Identifying USB storage devices.

•Tracking USB storage devices on Windows 7.

Collecting artifacts to identify an unknown device.

Determining the usage of a known USB storage device.


Processing an unknown USB storage device.


•Record what you see.

•Collect Firmware Information

•Record Volume information


Processing USB storage devices.

One black and red external USB storage drive


Take photographs and good notes.

Make:“Buffalo” , Model: HD-PE500U2,Serial: 45508390901080

Collection of

USB storage device firmware fields


•iSerial Number

•idVendor

•idProduct

•iManufacturer

•iProduct


Collect Firmware Information

•Use Hardware or software write blocking


Write Blocking

Use Hardware

or Software

Write Blocking


Write Blocking

HKLM\SYSTEM\CurrentControlSet\

Control\StorageDevicePolicies write protect off:

“WriteProtect”=dword:00000000

write protect on:

“WriteProtect”=dword:00000001


Write Blocking – Windows Registry

Write Blocking – Fastbloc SE


Three Modes

1. Write Protected2. Write Blocked3. None

Run GPEDIT.MSCComputer Configuration Administrative Templates

▫ Windows Components

· AutoPlay Policies

Doubleclick “Turn off Autoplay” and select enable and apply.


Disable Autoplay


Microsoft’s USB Device Viewer

www.ftdichip/Resources/utilities.htm

Usbview.exe


Microsoft’s USB Device Viewer


Record Volume serial numberVolume Boot Record

FAT 32 – Offset 67 - 4 bytes

NTFS – Offset 72 - 8 bytes

FAT 16 – Offset 39 – 4 bytes

9885323f


Summary•Photograph and take notes

•Turn off autorun on examining system

•Write block and insert storage device

•Collect firmware information

•Collect Volume Serial Number


Windows 7 USB artifacts


Two Scenarios•Determining usage of a known USB storage device on a computer system or systems.

•Collecting identifiers of an unknown USB storage device from a computer system.


WINXP

VISTAWIN7ARTIFACTS

Setupapi.logRestore pointsSystem Registry HiveCurrent User registry HiveLink Files, MRU Lists, Prefetch$logfile, pagefile, unallocatedSetupapi.dev.logEvent logs, Volume shadow

HKEY_LOCAL_MACHINE (HKLM)


DeviceClasses

USB USBSTOR

STORAGE\VolumeWpdBusEnumRoot\UMB


HKLM\System\ {CurrentControlSet}\ \Enum\USBSTOR

HKLM\System\{CurrentControlSet}\Enum\USBSTOR



Last Written TimesTime last USB device of this class was first inserted

An Insertion Date

First Insertion Date

HKLM\System\{CurrentControlSet}\Enum\USBSTOR


•Win XP and earlier•Unique Identifier assigned to device.

USBSTOR – Parent Id Prefix


HKLM\System\ {CurrentControlSet}\Enum\USB

HKLM\SYSTEM\{Current Control Set}\Enum\USB



Last Written TimesTime last USB device of this class was first inserted

WIN7 – Last insertion.(Vista & XP – Time of an insertion.)First Insertion Date

HKLM\SYSTEM\{Current Control Set}\Enum\USB


Summary USB/USBSTOR Vendor ID Product ID

iSerial Number Manufacturer

Product

USBSTOR

USB

Insertion DatesFirst Insert = Last written LogConf, Device Parameters

Last Insert = Devices unique identifier under USB key

Other interim insertion dates possible. (Devices unique identifier under USBSTOR key)


Summary USB/USBSTOR


HKLM\SYSTEM\{CurrentControlSet}\Enum\Storage \Volume

An Insertion Date

First Insertion Date


HKLM\SYSTEM\{CurrentControlSet}\Enum\ WpdBusEnumRoot\UMB

“Friendly Name”

Volume LabelOr

Drive Letter


HKLM\System\{CurrentControlSet}\Control\Device Classes

The following Device Class GUID’s can contain information relative to the USB device:{a5dcbf10-6530-11d2-901f-00c04fb951ed}

{53f56307-b6bf-11d0-94f2-00a0c91efb8b}

{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

{6ac27878-a6fa-4155-ba85-f98f491d4f33}

{f33fdc04-d1ac-4e8e-9a30-19bbd4b108ae}

{10497b1b-ba51-44e5-8318-a65c837b6661}


HKLM\System\MountedDevices•Maps Storage media to Drive letters and Volume GUIDs.•On Vista and Windows 7 USB devices are mapped using the Unique Identifier from the USBSTOR subkeys.

•On XP the ParentIdPrefix vaklue is used to map USB drives to a drive letter and Volume GUID.

•Volume GUID survive even when a drive letter is reassigned.


HKLM\System\MountedDevices

Unique ID from USBSTOR in mapping to Drive Letter.


HKLM\System\MountedDevices

Unique ID from USBSTOR in mapping to Volume GUID.

_??_USBSTOR#Disk&Ven_FLASH&Prod_Drive_AU_USB20&Rev_8.07#K0903000000000021370&0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}VOL_LABEL_3323739785


HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\EMDMgmt

LAST WRITE = First Insertion Date


Vol SN C61C3E89 = Decimal 3323739785

_??_USBSTOR#Disk&Ven_FLASH&Prod_Drive_AU_USB20&Rev_8.07#K0903000000000021370&0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}VOL_LABEL_3323739785


HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\EMDMgmt

_??_USBSTOR#Disk&Ven_FLASH&Prod_Drive_AU_USB20&Rev_8.07#K0903000000000021370&0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}NEW_LABEL_2800047353

WPDBUSENUMROOT#UMB#2&37C186B&0&STORAGE#VOLUME#_??

_USBSTOR#DISK&VEN_FLASH&PROD_DRIVE_AU_USB20&REV_8.07#K0903000000000021370&0#


HKLM\SOFTWARE\Microsoft\Windows Portable Devices\Devices

LAST WRITE = will change on re-format

FriendlyName contains Volume Label or Drive letter.


NTUSER.DAT\Software\Microsoft\Windows\ CurrentVersion\Explorer\MountPoints2

•Contains Volume GUID entries for volumes mounted while profile logged in.

•Last Written = last insertion before a reboot.

•Can assist in attributing the USB device to a User Profile.


NTUSER.DAT\Software\Microsoft\Windows\ CurrentVersion\Explorer\MountPoints2


REGISTRY REVIEWHKLM\System\{Current Control Set}\Enum\USB HKLM\System\{Current Control Set}\Enum\USBSTOR Vendor ID, Product ID Manufacturer, Product iSerial First Insertion Last Insertion (Windows 7 only)


REGISTRY REVIEW

Mounted Devices (System hive) Drive Letter Volume GUID

MountPoints2 (NTUSER.DAT) Identify active profile during insertion. An insertion date. (Win 7) Last insertion (XP)


Setupapi.log / Setupapi.dev.log

• C:\Windows\Setupapi.log -WinXP

• C:\Windows\inf\Setupapi.dev.log -Win7, Vista

• Provides first insertion date

• Contains enough information to Identify device

• Date is less transient – text based


C:\Windows\inf\Setupapi.dev.log Windows 7

Woanware – USB Device Forensics

www.woanware.co.uk


Woanware USB Device Forensics


Vendor: Ven_FLASHProduct: Prod_Drive_AU_USB20Version: Rev_8.07Serial No: K0903000000000021370

A Closer look at the Output…

Woanware USB Device ForensicsTracking USB Devices – Windows 7

EMDMgmt Date/Time: 04/24/12 2:31:50 PM (UTC)EMDMgmt Volume Serial No: 2800047353EMDMgmt Volume Serial No (Hex): A6E554F9EMDMgmt Volume Name: NEW_LABEL

EMDMgmt Date/Time: 04/23/12 5:50:55 PM (UTC)EMDMgmt Volume Serial No: 3323739785EMDMgmt Volume Serial No (Hex): C61C3E89EMDMgmt Volume Name: VOL_LABEL


VID: VID_058F PID: PID_6387ParentIdPrefix: Drive Letter: Volume Name: GUID: 378922d0-8d6c-11e1-aebf-a4badb0193d2

MountPoint: USBSTOR#Disk&Ven_FLASH&Prod_Drive_AU_USB20&Rev_8.07#K0903000000000021370&0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}


Install Date/Time: 23/04/2012 10:50:53 (Local) (setupapi.dev.log)USBSTOR Date/Time: Tuesday, April 24, 2012 22:35:59 Z (UTC)DeviceClasses Date/Time (53f56307-b6bf-11d0-94f2-00a0c91efb8b): Tuesday, April 24, 2012 22:35:59 Z (UTC)DeviceClasses Date/Time (10497b1b-ba51-44e5-8318-a65c837b6661): Monday, April 23, 2012 17:50:57 Z (UTC)Enum\USB VIDPID Date/Time: Tuesday, April 24, 2012 22:35:59 Z (UTC)MountPoints2 Date/Time: Tuesday, April 24, 2012 22:35:59 Z (UTC) (File: ntuser.dat)


Event Logs

Entries available in Vista, Win7 System Logs

Event ID’s 20001, 20003, 24576, 24577


Event Logs


Link Files


Volume Shadow Copy : Restore Point Volume Shadow Copy – Vista, Windows 7

Complete copies of volume including registry, links etc

Restore Point – WinXP Copies of registry files Relatively inaccessible to user

Keyword SearchVolume Serial Number

•Link Files,

•Prefetch entries indicating executable run from USB

Volume Label

•Link Files,

•MRU lists in registry

iSerial Number

deleted registry strings from USB USBSTOR, MountedDevices, Device Class entries.


Thank You


Colin Cree EFS e-Forensic Service Inc.

[email protected]

A special thank you to those in the computer forensic community who share their discoveries in blogs, lists,

papers and books for the benefit of us all!

Tracking USB Devices – Windows 7 Colin Cree EFS e-Forensic Services Inc. [email protected].

Documents

Transcript of Tracking USB Devices – Windows 7 Colin Cree EFS e-Forensic Services Inc. [email protected].