1 / 61

Tracking USB Devices – Windows 7

Tracking USB Devices – Windows 7. Colin Cree EFS e-Forensic Services Inc. colin@e-forensic.ca. USB storage devices. Large capacity Cheap Plug & Play Easy to carry / conceal Convenient Availability of portable apps. USB storage devices.

balin
Download Presentation

Tracking USB Devices – Windows 7

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Tracking USB Devices – Windows 7 Colin Cree EFS e-Forensic Services Inc. colin@e-forensic.ca

  2. Tracking USB Devices – Windows 7 USB storage devices • Large capacity • Cheap • Plug & Play • Easy to carry / conceal • Convenient • Availability of portable apps

  3. Tracking USB Devices – Windows 7 USB storage devices • 4 GB Thumb drives are selling presently for • as little as $4.49 • 32 GB models are selling presently for • as little as $19.99

  4. Tracking USB Devices – Windows 7 USB Drives have been used for: • Storing illicit data • Theft of proprietary data • Distribution of malware • Running applications

  5. Tracking USB Devices – Windows 7 Analysis of USB storage devices involves: • Identification • Attribution

  6. Tracking USB Devices – Windows 7 • Identifying USB storage devices. • Tracking USB storage devices on Windows 7. • Collecting artifacts to identify an unknown device. • Determining the usage of a known USB storage device.

  7. Tracking USB Devices – Windows 7 • Processing an unknown USB storage device.

  8. Tracking USB Devices – Windows 7 Processing USB storage devices. • Record what you see. • Collect Firmware Information • Record Volume information

  9. Tracking USB Devices – Windows 7 Take photographs and good notes. • One black and red external USB storage drive Make:“Buffalo” , Model: HD-PE500U2, Serial: 45508390901080

  10. Tracking USB Devices – Windows 7 • Collection of • USB storage device firmware fields

  11. Tracking USB Devices – Windows 7 Collect Firmware Information • iSerial Number • idVendor • idProduct • iManufacturer • iProduct

  12. Tracking USB Devices – Windows 7 Write Blocking • Use Hardware or software write blocking

  13. Tracking USB Devices – Windows 7 Write Blocking • Use Hardware • or Software • Write Blocking

  14. Tracking USB Devices – Windows 7 Write Blocking – Windows Registry • HKLM\SYSTEM\CurrentControlSet\ • Control\StorageDevicePolicies write protect off: “WriteProtect”=dword:00000000 write protect on: “WriteProtect”=dword:00000001

  15. Tracking USB Devices – Windows 7 Write Blocking – Fastbloc SE Three Modes Write Protected Write Blocked None

  16. Tracking USB Devices – Windows 7 Disable Autoplay • Run GPEDIT.MSC • Computer Configuration • Administrative Templates • Windows Components • AutoPlay Policies • Doubleclick “Turn off Autoplay” and select enable and apply.

  17. Tracking USB Devices – Windows 7 Usbview.exe Microsoft’s USB Device Viewer www.ftdichip/Resources/utilities.htm

  18. Tracking USB Devices – Windows 7 Microsoft’s USB Device Viewer

  19. Tracking USB Devices – Windows 7

  20. Tracking USB Devices – Windows 7 Record Volume serial number 9885323f Volume Boot Record • FAT 32 – Offset 67 - 4 bytes • NTFS – Offset 72 - 8 bytes • FAT 16 – Offset 39 – 4 bytes

  21. Tracking USB Devices – Windows 7 Summary • Photograph and take notes • Turn off autorun on examining system • Write block and insert storage device • Collect firmware information • Collect Volume Serial Number

  22. Tracking USB Devices – Windows 7 Windows 7 USB artifacts

  23. Tracking USB Devices – Windows 7 Two Scenarios • Determining usage of a known USB storage device on a computer system or systems. • Collecting identifiers of an unknown USB storage device from a computer system.

  24. Tracking USB Devices – Windows 7 WINXP • Setupapi.log • Restore points • System Registry Hive • Current User registry Hive • Link Files, MRU Lists, Prefetch • $logfile, pagefile, unallocated • Setupapi.dev.log • Event logs, Volume shadow ARTIFACTS VISTA WIN7

  25. Tracking USB Devices – Windows 7 HKEY_LOCAL_MACHINE (HKLM) DeviceClasses USB USBSTOR STORAGE\Volume WpdBusEnumRoot\UMB

  26. Tracking USB Devices – Windows 7 HKLM\System\ {CurrentControlSet}\ \Enum\USBSTOR

  27. Tracking USB Devices – Windows 7 HKLM\System\{CurrentControlSet}\Enum\USBSTOR

  28. Tracking USB Devices – Windows 7 • HKLM\System\{CurrentControlSet}\Enum\USBSTOR Last Written Times Time last USB device of this class was first inserted An Insertion Date First Insertion Date

  29. Tracking USB Devices – Windows 7 • USBSTOR – Parent Id Prefix • Win XP and earlier • Unique Identifier assigned to device.

  30. Tracking USB Devices – Windows 7 HKLM\System\ {CurrentControlSet}\Enum\USB

  31. Tracking USB Devices – Windows 7 HKLM\SYSTEM\{Current Control Set}\Enum\USB

  32. Tracking USB Devices – Windows 7 • HKLM\SYSTEM\{Current Control Set}\Enum\USB Last Written Times Time last USB device of this class was first inserted • WIN7 – Last insertion. • (Vista & XP – Time of an insertion.) First Insertion Date

  33. Tracking USB Devices – Windows 7 Summary USB/USBSTOR • Vendor ID • Product ID • iSerial Number • Manufacturer • Product USB USBSTOR

  34. Tracking USB Devices – Windows 7 Summary USB/USBSTOR • Insertion Dates • First Insert = Last written LogConf, Device Parameters • Last Insert = Devices unique identifier under USB key • Other interim insertion dates possible. • (Devices unique identifier under USBSTOR key)

  35. Tracking USB Devices – Windows 7 HKLM\SYSTEM\{CurrentControlSet}\Enum\Storage \Volume An Insertion Date First Insertion Date

  36. Tracking USB Devices – Windows 7 HKLM\SYSTEM\{CurrentControlSet}\Enum\ WpdBusEnumRoot\UMB “Friendly Name” Volume Label Or Drive Letter

  37. Tracking USB Devices – Windows 7 HKLM\System\{CurrentControlSet}\Control\Device Classes The following Device Class GUID’s can contain information relative to the USB device: {a5dcbf10-6530-11d2-901f-00c04fb951ed} {53f56307-b6bf-11d0-94f2-00a0c91efb8b} {53f5630d-b6bf-11d0-94f2-00a0c91efb8b} {6ac27878-a6fa-4155-ba85-f98f491d4f33} {f33fdc04-d1ac-4e8e-9a30-19bbd4b108ae} {10497b1b-ba51-44e5-8318-a65c837b6661}

  38. Tracking USB Devices – Windows 7 HKLM\System\MountedDevices • Maps Storage media to Drive letters and Volume GUIDs. • On Vista and Windows 7 USB devices are mapped using the Unique Identifier from the USBSTOR subkeys. • On XP the ParentIdPrefixvaklue is used to map USB drives to a drive letter and Volume GUID. • Volume GUID survive even when a drive letter is reassigned.

  39. Tracking USB Devices – Windows 7 HKLM\System\MountedDevices Unique ID from USBSTOR in mapping to Drive Letter.

  40. Tracking USB Devices – Windows 7 HKLM\System\MountedDevices Unique ID from USBSTOR in mapping to Volume GUID.

  41. Tracking USB Devices – Windows 7 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\EMDMgmt _??_USBSTOR#Disk&Ven_FLASH&Prod_Drive_AU_USB20&Rev_8.07#K0903000000000021370&0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}VOL_LABEL_3323739785 LAST WRITE = First Insertion Date

  42. Tracking USB Devices – Windows 7 Vol SN C61C3E89 = Decimal 3323739785

  43. Tracking USB Devices – Windows 7 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\EMDMgmt _??_USBSTOR#Disk&Ven_FLASH&Prod_Drive_AU_USB20&Rev_8.07#K0903000000000021370&0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}VOL_LABEL_3323739785 _??_USBSTOR#Disk&Ven_FLASH&Prod_Drive_AU_USB20&Rev_8.07#K0903000000000021370&0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}NEW_LABEL_2800047353

  44. Tracking USB Devices – Windows 7 HKLM\SOFTWARE\Microsoft\Windows Portable Devices\Devices WPDBUSENUMROOT#UMB#2&37C186B&0&STORAGE#VOLUME#_??_USBSTOR#DISK&VEN_FLASH&PROD_DRIVE_AU_USB20&REV_8.07#K0903000000000021370&0# FriendlyName contains Volume Label or Drive letter. LAST WRITE = will change on re-format

  45. Tracking USB Devices – Windows 7 NTUSER.DAT\Software\Microsoft\Windows\ CurrentVersion\Explorer\MountPoints2 • Contains Volume GUID entries for volumes mounted while profile logged in. • Last Written = last insertion before a reboot. • Can assist in attributing the USB device to a User Profile.

  46. Tracking USB Devices – Windows 7 NTUSER.DAT\Software\Microsoft\Windows\ CurrentVersion\Explorer\MountPoints2

  47. Tracking USB Devices – Windows 7 REGISTRY REVIEW • HKLM\System\{Current Control Set}\Enum\USB HKLM\System\{Current Control Set}\Enum\USBSTOR • Vendor ID, Product ID • Manufacturer, Product • iSerial • First Insertion • Last Insertion (Windows 7 only)

  48. Tracking USB Devices – Windows 7 REGISTRY REVIEW • Mounted Devices (System hive) • Drive Letter • Volume GUID • MountPoints2 (NTUSER.DAT) • Identify active profile during insertion. • An insertion date. (Win 7) • Last insertion (XP)

  49. Tracking USB Devices – Windows 7 Setupapi.log / Setupapi.dev.log • C:\Windows\Setupapi.log -WinXP • C:\Windows\inf\Setupapi.dev.log -Win7, Vista • Provides first insertion date • Contains enough information to Identify device • Date is less transient – text based

  50. Tracking USB Devices – Windows 7 C:\Windows\inf\Setupapi.dev.logWindows 7

More Related