Presentation is loading. Please wait.

Presentation is loading. Please wait.

Tracking USB Devices – Windows 7 Colin Cree EFS e-Forensic Services Inc.

Similar presentations


Presentation on theme: "Tracking USB Devices – Windows 7 Colin Cree EFS e-Forensic Services Inc."— Presentation transcript:

1 Tracking USB Devices – Windows 7 Colin Cree EFS e-Forensic Services Inc. colin@e-forensic.ca

2 Large capacity Cheap Plug & Play Easy to carry / conceal Convenient Availability of portable apps USB storage devices Tracking USB Devices – Windows 7 Page 2

3 4 GB Thumb drives are selling presently for as little as $4.49 32 GB models are selling presently for as little as $19.99 USB storage devices Tracking USB Devices – Windows 7 Page 3

4 Storing illicit data Theft of proprietary data Distribution of malware Running applications USB Drives have been used for: Tracking USB Devices – Windows 7 Page 4

5 Identification Attribution Analysis of USB storage devices involves: Tracking USB Devices – Windows 7 Page 5

6 Identifying USB storage devices. Tracking USB storage devices on Windows 7. Collecting artifacts to identify an unknown device. Determining the usage of a known USB storage device. Tracking USB Devices – Windows 7 Page 6

7 Processing an unknown USB storage device. Tracking USB Devices – Windows 7 Page 7

8 Record what you see. Collect Firmware Information Record Volume information Tracking USB Devices – Windows 7 Page 8 Processing USB storage devices.

9 One black and red external USB storage drive Tracking USB Devices – Windows 7 Page 9 Take photographs and good notes. Make:Buffalo, Model: HD-PE500U2, Serial: 45508390901080

10 Collection of USB storage device firmware fields Tracking USB Devices – Windows 7 Page 10

11 iSerial Number idVendor idProduct iManufacturer iProduct Tracking USB Devices – Windows 7 Page 11 Collect Firmware Information

12 Use Hardware or software write blocking Tracking USB Devices – Windows 7 Page 12 Write Blocking

13 Use Hardware or Software Write Blocking Tracking USB Devices – Windows 7 Page 13 Write Blocking

14 HKLM\SYSTEM\CurrentControlSet\ Control\StorageDevicePolicies write protect off: WriteProtect=dword:00000000 write protect on: WriteProtect=dword:00000001 Tracking USB Devices – Windows 7 Page 14 Write Blocking – Windows Registry

15 Write Blocking – Fastbloc SE Tracking USB Devices – Windows 7 Page 15 Three Modes 1.Write Protected 2.Write Blocked 3.None

16 Run GPEDIT.MSC Computer Configuration Administrative Templates Windows Components ·AutoPlay Policies Doubleclick Turn off Autoplay and select enable and apply. Tracking USB Devices – Windows 7 Page 16 Disable Autoplay

17 Tracking USB Devices – Windows 7 Page 17 Microsofts USB Device Viewer www.ftdichip/Resources/utilities.htm Usbview.exe

18 Tracking USB Devices – Windows 7 Page 18 Microsofts USB Device Viewer

19 Tracking USB Devices – Windows 7 Page 19

20 Tracking USB Devices – Windows 7 Page 20 Record Volume serial number Volume Boot Record FAT 32 – Offset 67 - 4 bytes NTFS – Offset 72 - 8 bytes FAT 16 – Offset 39 – 4 bytes 9885323f

21 Tracking USB Devices – Windows 7 Page 21 Summary Photograph and take notes Turn off autorun on examining system Write block and insert storage device Collect firmware information Collect Volume Serial Number

22 Tracking USB Devices – Windows 7 Page 22 Windows 7 USB artifacts

23 Tracking USB Devices – Windows 7 Page 23 Two Scenarios Determining usage of a known USB storage device on a computer system or systems. Collecting identifiers of an unknown USB storage device from a computer system.

24 Tracking USB Devices – Windows 7 Page 24 WINXP VISTA WIN7 Setupapi.log Setupapi.log Restore points System Registry Hive System Registry Hive Current User registry Hive Current User registry Hive Link Files, MRU Lists, Prefetch $logfile, pagefile, unallocated Setupapi.dev.log Setupapi.dev.log Event logs, Volume shadow

25 HKEY_LOCAL_MACHINE (HKLM) Tracking USB Devices – Windows 7 Page 25 DeviceClasses USB USBSTOR STORAGE\Volume WpdBusEnumRoot\UMB

26 Tracking USB Devices – Windows 7 Page 26 HKLM\System\ {CurrentControlSet}\ \Enum\USBSTOR

27 HKLM\System\{CurrentControlSet}\Enum\USBSTOR Tracking USB Devices – Windows 7 Page 27

28 Tracking USB Devices – Windows 7 Page 28 Last Written Times Time last USB device of this class was first inserted An Insertion Date First Insertion Date HKLM\System\{CurrentControlSet}\Enum\USBSTOR

29 Tracking USB Devices – Windows 7 Page 29 Win XP and earlier Unique Identifier assigned to device. USBSTOR – Parent Id Prefix

30 Tracking USB Devices – Windows 7 Page 30 HKLM\System\ {CurrentControlSet}\Enum\USB

31 HKLM\SYSTEM\{Current Control Set}\Enum\USB Tracking USB Devices – Windows 7 Page 31

32 Tracking USB Devices – Windows 7 Page 32 Last Written Times Time last USB device of this class was first inserted WIN7 – Last insertion. ( Vista & XP – Time of an insertion.) First Insertion Date HKLM\SYSTEM\{Current Control Set}\Enum\USB

33 Tracking USB Devices – Windows 7 Page 33 Summary USB/USBSTOR Vendor ID Product ID iSerial Number Manufacturer Product USBSTOR USB

34 Insertion Dates First Insert = Last written LogConf, Device Parameters Last Insert = Devices unique identifier under USB key Other interim insertion dates possible. (Devices unique identifier under USBSTOR key) Tracking USB Devices – Windows 7 Page 34 Summary USB/USBSTOR

35 Tracking USB Devices – Windows 7 Page 35 HKLM\SYSTEM\{CurrentControlSet}\Enum\Storage \Volume An Insertion Date First Insertion Date

36 Tracking USB Devices – Windows 7 Page 36 HKLM\SYSTEM\{CurrentControlSet}\Enum\ WpdBusEnumRoot\UMB Friendly Name Volume Label Or Drive Letter

37 Tracking USB Devices – Windows 7 Page 37 HKLM\System\{CurrentControlSet}\Control\Device Classes The following Device Class GUIDs can contain information relative to the USB device: {a5dcbf10-6530-11d2-901f-00c04fb951ed} {53f56307-b6bf-11d0-94f2-00a0c91efb8b} {53f5630d-b6bf-11d0-94f2-00a0c91efb8b} {6ac27878-a6fa-4155-ba85-f98f491d4f33} {f33fdc04-d1ac-4e8e-9a30-19bbd4b108ae} {10497b1b-ba51-44e5-8318-a65c837b6661}

38 Tracking USB Devices – Windows 7 Page 38 HKLM\System\MountedDevices Maps Storage media to Drive letters and Volume GUIDs. On Vista and Windows 7 USB devices are mapped using the Unique Identifier from the USBSTOR subkeys. On XP the ParentIdPrefix vaklue is used to map USB drives to a drive letter and Volume GUID. Volume GUID survive even when a drive letter is reassigned.

39 Tracking USB Devices – Windows 7 Page 39 HKLM\System\MountedDevices Unique ID from USBSTOR in mapping to Drive Letter.

40 Tracking USB Devices – Windows 7 Page 40 HKLM\System\MountedDevices Unique ID from USBSTOR in mapping to Volume GUID.

41 _??_USBSTOR#Disk&Ven_FLASH&Prod_Drive_AU _USB20&Rev_8.07#K0903000000000021370&0#{ 53f56307-b6bf-11d0-94f2- 00a0c91efb8b}VOL_LABEL_3323739785 Tracking USB Devices – Windows 7 Page 41 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\EMDMgmt LAST WRITE = First Insertion Date

42 Tracking USB Devices – Windows 7 Page 42 Vol SN C61C3E89 = Decimal 3323739785

43 _??_USBSTOR#Disk&Ven_FLASH&Prod_Drive_AU_USB2 0&Rev_8.07#K0903000000000021370&0#{53f56307- b6bf-11d0-94f2-00a0c91efb8b}VOL_LABEL_3323739785 Tracking USB Devices – Windows 7 Page 43 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\EMDMgmt _??_USBSTOR#Disk&Ven_FLASH&Prod_Drive_AU_USB2 0&Rev_8.07#K0903000000000021370&0#{53f56307- b6bf-11d0-94f2-00a0c91efb8b}NEW_LABEL_2800047353

44 WPDBUSENUMROOT#UMB#2&37C186B&0&STORAGE#VOL UME#_??_USBSTOR#DISK&VEN_FLASH&PROD_DRIVE_AU_ USB20&REV_8.07#K0903000000000021370&0# Tracking USB Devices – Windows 7 Page 44 HKLM\SOFTWARE\Microsoft\Windows Portable Devices\Devices LAST WRITE = will change on re-format FriendlyName contains Volume Label or Drive letter.

45 Tracking USB Devices – Windows 7 Page 45 NTUSER.DAT\Software\Microsoft\Windows\ CurrentVersion\Explorer\MountPoints2 Contains Volume GUID entries for volumes mounted while profile logged in. Last Written = last insertion before a reboot. Can assist in attributing the USB device to a User Profile.

46 Tracking USB Devices – Windows 7 Page 46 NTUSER.DAT\Software\Microsoft\Windows\ CurrentVersion\Explorer\MountPoints2

47 Tracking USB Devices – Windows 7 Page 47 REGISTRY REVIEW HKLM\System\{Current Control Set}\Enum\USB HKLM\System\{Current Control Set}\Enum\USBSTOR Vendor ID, Product ID Manufacturer, Product iSerial First Insertion Last Insertion (Windows 7 only)

48 Tracking USB Devices – Windows 7 Page 48 REGISTRY REVIEW Mounted Devices (System hive) Drive Letter Volume GUID MountPoints2 (NTUSER.DAT) Identify active profile during insertion. An insertion date. (Win 7) Last insertion (XP)

49 Tracking USB Devices – Windows 7 Page 49 Setupapi.log / Setupapi.dev.log C:\Windows\Setupapi.log -WinXP C:\Windows\inf\Setupapi.dev.log -Win7, Vista Provides first insertion date Contains enough information to Identify device Date is less transient – text based

50 Tracking USB Devices – Windows 7 Page 50 C:\Windows\inf\Setupapi.dev.log Windows 7

51 Woanware – USB Device Forensics www.woanware.co.uk Tracking USB Devices – Windows 7 Page 51

52 Woanware USB Device Forensics Tracking USB Devices – Windows 7 Page 52 Vendor: Ven_FLASH Product: Prod_Drive_AU_USB20 Version: Rev_8.07 Serial No: K0903000000000021370 A Closer look at the Output…

53 Woanware USB Device Forensics Tracking USB Devices – Windows 7 Page 53 EMDMgmt Date/Time: 04/24/12 2:31:50 PM (UTC) EMDMgmt Volume Serial No: 2800047353 EMDMgmt Volume Serial No (Hex): A6E554F9 EMDMgmt Volume Name: NEW_LABEL EMDMgmt Date/Time: 04/23/12 5:50:55 PM (UTC) EMDMgmt Volume Serial No: 3323739785 EMDMgmt Volume Serial No (Hex): C61C3E89 EMDMgmt Volume Name: VOL_LABEL

54 Woanware USB Device Forensics Tracking USB Devices – Windows 7 Page 54 VID: VID_058F PID: PID_6387 ParentIdPrefix: Drive Letter: Volume Name: GUID: 378922d0-8d6c-11e1-aebf-a4badb0193d2 MountPoint: USBSTOR#Disk&Ven_FLASH&Prod_Drive_AU_USB20&R ev_8.07#K0903000000000021370&0#{53f56307-b6bf- 11d0-94f2-00a0c91efb8b}

55 Woanware USB Device Forensics Tracking USB Devices – Windows 7 Page 55 Install Date/Time: 23/04/2012 10:50:53 (Local) (setupapi.dev.log) USBSTOR Date/Time: Tuesday, April 24, 2012 22:35:59 Z (UTC) DeviceClasses Date/Time (53f56307-b6bf-11d0-94f2-00a0c91efb8b): Tuesday, April 24, 2012 22:35:59 Z (UTC) DeviceClasses Date/Time (10497b1b-ba51-44e5-8318-a65c837b6661): Monday, April 23, 2012 17:50:57 Z (UTC) Enum\USB VIDPID Date/Time: Tuesday, April 24, 2012 22:35:59 Z (UTC) MountPoints2 Date/Time: Tuesday, April 24, 2012 22:35:59 Z (UTC) (File: ntuser.dat)

56 Tracking USB Devices – Windows 7 Page 56 Event Logs Entries available in Vista, Win7 System Logs Event IDs 20001, 20003, 24576, 24577

57 Tracking USB Devices – Windows 7 Page 57 Event Logs

58 Tracking USB Devices – Windows 7 Page 58 Link Files

59 Tracking USB Devices – Windows 7 Page 59 Volume Shadow Copy : Restore Point Volume Shadow Copy – Vista, Windows 7 Complete copies of volume including registry, links etc Restore Point – WinXP Copies of registry files Relatively inaccessible to user

60 Keyword Search Volume Serial Number Link Files, Prefetch entries indicating executable run from USB Volume Label Link Files, MRU lists in registry iSerial Number deleted registry strings from USB USBSTOR, MountedDevices, Device Class entries. Tracking USB Devices – Windows 7 Page 60

61 Thank You Tracking USB Devices – Windows 7 Page 61 Colin Cree EFS e-Forensic Service Inc. colin@e-forensic.ca A special thank you to those in the computer forensic community who share their discoveries in blogs, lists, papers and books for the benefit of us all!


Download ppt "Tracking USB Devices – Windows 7 Colin Cree EFS e-Forensic Services Inc."

Similar presentations


Ads by Google