Forensic Tracking of USB Devices-Cree-5-22

Report
Tracking USB Devices – Windows 7
Colin Cree
EFS e-Forensic Services Inc.
[email protected]
Tracking USB Devices – Windows 7
USB storage devices
• Large capacity
• Cheap
• Plug & Play
• Easy to carry / conceal
• Convenient
• Availability of portable apps
Page 2
Tracking USB Devices – Windows 7
USB storage devices
4 GB Thumb drives are selling presently for
as little as $4.49
32 GB models are selling presently for
as little as $19.99
Page 3
Tracking USB Devices – Windows 7
USB Drives have been used for:
• Storing illicit data
• Theft of proprietary data
• Distribution of malware
• Running applications
Page 4
Tracking USB Devices – Windows 7
Analysis of USB storage devices involves:
Identification
Attribution
Page 5
Tracking USB Devices – Windows 7
• Identifying USB storage devices.
•Tracking USB storage devices on Windows 7.
 Collecting artifacts to identify an unknown device.
 Determining the usage of a known USB storage
device.
Page 6
Tracking USB Devices – Windows 7
Processing an unknown USB
storage device.
Page 7
Tracking USB Devices – Windows 7
Processing USB storage devices.
•Record what you see.
•Collect Firmware Information
•Record Volume information
Page 8
Tracking USB Devices – Windows 7
Take photographs and good notes.
One black and red external USB
storage drive
Make:“Buffalo” , Model: HD-PE500U2,
Serial: 45508390901080
Page 9
Tracking USB Devices – Windows 7
Collection of
USB storage device firmware
fields
Page 10
Tracking USB Devices – Windows 7
Collect Firmware Information
•iSerial Number
•idVendor
•idProduct
•iManufacturer
•iProduct
Page 11
Tracking USB Devices – Windows 7
Write Blocking
•Use Hardware or software write blocking
Page 12
Tracking USB Devices – Windows 7
Write Blocking
Use Hardware
or Software
Write Blocking
Page 13
Tracking USB Devices – Windows 7
Write Blocking – Windows Registry
HKLM\SYSTEM\CurrentControlSet\
Control\StorageDevicePolicies
write protect off:
“WriteProtect”=dword:00000000
write protect on:
“WriteProtect”=dword:00000001
Page 14
Tracking USB Devices – Windows 7
Write Blocking –
Fastbloc SE
Three Modes
1. Write Protected
2. Write Blocked
3. None
Page 15
Tracking USB Devices – Windows 7
Disable Autoplay
Run GPEDIT.MSC
Computer Configuration
 Administrative Templates
▫ Windows Components
· AutoPlay Policies
 Doubleclick “Turn off Autoplay” and select
enable and apply.
Page 16
Tracking USB Devices – Windows 7
Microsoft’s USB Device Viewer Usbview.exe
www.ftdichip/Resources/utilities.htm
Page 17
Tracking USB Devices – Windows 7
Microsoft’s USB Device Viewer
Page 18
Tracking USB Devices – Windows 7
Page 19
Tracking USB Devices – Windows 7
Record Volume serial number
Volume Boot Record
 FAT 32 – Offset 67 - 4 bytes
 NTFS – Offset 72 - 8 bytes
 FAT 16 – Offset 39 – 4 bytes
9885323f
Page 20
Tracking USB Devices – Windows 7
Summary
•Photograph and take notes
•Turn off autorun on examining system
•Write block and insert storage device
•Collect firmware information
•Collect Volume Serial Number
Page 21
Tracking USB Devices – Windows 7
Windows 7 USB artifacts
Page 22
Tracking USB Devices – Windows 7
Two Scenarios
•Determining usage of a known USB storage
device on a computer system or systems.
•Collecting identifiers of an unknown USB
storage device from a computer system.
Page 23
Tracking USB Devices – Windows 7
WINXP
Setupapi.log
Restore points
System Registry Hive
Current User registry Hive
Link Files, MRU Lists, Prefetch
$logfile, pagefile, unallocated
Setupapi.dev.log
Event logs, Volume shadow
VISTA
WIN7
Page 24
Tracking USB Devices – Windows 7
HKEY_LOCAL_MACHINE (HKLM)
DeviceClasses
USB
USBSTOR
STORAGE\Volume
WpdBusEnumRoot\UMB
Page 25
Tracking USB Devices – Windows 7
HKLM\System\ {CurrentControlSet}\
\Enum\USBSTOR
Page 26
Tracking USB Devices – Windows 7
HKLM\System\{CurrentControlSet}\Enum\USBSTOR
Page 27
Tracking USB Devices – Windows 7
HKLM\System\{CurrentControlSet}\Enum\USBSTOR
Last Written Times
Time last USB device of this
class was first inserted
An Insertion Date
First Insertion Date
Page 28
Tracking USB Devices – Windows 7
USBSTOR – Parent Id Prefix
•Win XP and earlier
•Unique Identifier assigned to device.
Page 29
Tracking USB Devices – Windows 7
HKLM\System\
{CurrentControlSet}\Enum\USB
Page 30
Tracking USB Devices – Windows 7
HKLM\SYSTEM\{Current Control Set}\Enum\USB
Page 31
Tracking USB Devices – Windows 7
HKLM\SYSTEM\{Current Control Set}\Enum\USB
Last Written Times
Time last USB device of this
class was first inserted
WIN7 – Last insertion.
(Vista & XP – Time of an
insertion.)
First Insertion Date
Page 32
Tracking USB Devices – Windows 7
Summary USB/USBSTOR
 Vendor ID
 Product ID
USB
 iSerial Number
USBSTOR
 Manufacturer
 Product
Page 33
Tracking USB Devices – Windows 7
Summary USB/USBSTOR
Insertion Dates
First Insert = Last written LogConf, Device Parameters
Last Insert = Devices unique identifier under USB key
Other interim insertion dates possible.
(Devices unique identifier under USBSTOR key)
Page 34
Tracking USB Devices – Windows 7
HKLM\SYSTEM\{CurrentControlSet}\Enum\Storage
\Volume
An Insertion Date
First Insertion Date
Page 35
Tracking USB Devices – Windows 7
HKLM\SYSTEM\{CurrentControlSet}\Enum\
WpdBusEnumRoot\UMB
“Friendly Name”
Volume Label
Or
Drive Letter
Page 36
Tracking USB Devices – Windows 7
HKLM\System\{CurrentControlSet}\Control\Device
Classes
The following Device Class GUID’s can contain information relative to
the USB device: {a5dcbf10-6530-11d2-901f-00c04fb951ed}
{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
{6ac27878-a6fa-4155-ba85-f98f491d4f33}
{f33fdc04-d1ac-4e8e-9a30-19bbd4b108ae}
{10497b1b-ba51-44e5-8318-a65c837b6661}
Page 37
Tracking USB Devices – Windows 7
HKLM\System\MountedDevices
•Maps Storage media to Drive letters and Volume
GUIDs.
•On Vista and Windows 7 USB devices are mapped using the
Unique Identifier from the USBSTOR subkeys.
•On XP the ParentIdPrefix vaklue is used to map USB drives to
a drive letter and Volume GUID.
•Volume GUID survive even when a drive letter is reassigned.
Page 38
Tracking USB Devices – Windows 7
HKLM\System\MountedDevices
Unique ID from USBSTOR in mapping to Drive Letter.
Page 39
Tracking USB Devices – Windows 7
HKLM\System\MountedDevices
Unique ID from USBSTOR in mapping to Volume GUID.
Page 40
Tracking USB Devices – Windows 7
HKLM\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\EMDMgmt
_??_USBSTOR#Disk&Ven_FLASH&Prod_Drive_AU
_USB20&Rev_8.07#K0903000000000021370&0#{
53f56307-b6bf-11d0-94f200a0c91efb8b}VOL_LABEL_3323739785
LAST WRITE = First Insertion Date
Page 41
Tracking USB Devices – Windows 7
Vol SN C61C3E89 = Decimal 3323739785
Page 42
Tracking USB Devices – Windows 7
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\EMDMgmt
_??_USBSTOR#Disk&Ven_FLASH&Prod_Drive_AU_USB2
0&Rev_8.07#K0903000000000021370&0#{53f56307b6bf-11d0-94f2-00a0c91efb8b}VOL_LABEL_3323739785
_??_USBSTOR#Disk&Ven_FLASH&Prod_Drive_AU_USB2
0&Rev_8.07#K0903000000000021370&0#{53f56307b6bf-11d0-94f2-00a0c91efb8b}NEW_LABEL_2800047353
Page 43
Tracking USB Devices – Windows 7
HKLM\SOFTWARE\Microsoft\Windows
Portable Devices\Devices
WPDBUSENUMROOT#UMB#2&37C186B&0&STORAGE#VOL
UME#_??_USBSTOR#DISK&VEN_FLASH&PROD_DRIVE_AU_
USB20&REV_8.07#K0903000000000021370&0#
FriendlyName contains Volume Label or Drive letter.
LAST WRITE = will change on re-format
Page 44
Tracking USB Devices – Windows 7
NTUSER.DAT\Software\Microsoft\Windows\
CurrentVersion\Explorer\MountPoints2
•Contains Volume GUID entries for volumes mounted
while profile logged in.
•Last Written = last insertion before a reboot.
•Can assist in attributing the USB device to a User
Profile.
Page 45
Tracking USB Devices – Windows 7
NTUSER.DAT\Software\Microsoft\Windows\
CurrentVersion\Explorer\MountPoints2
Page 46
Tracking USB Devices – Windows 7
REGISTRY REVIEW
HKLM\System\{Current Control Set}\Enum\USB
HKLM\System\{Current Control Set}\Enum\USBSTOR
 Vendor ID, Product ID
 Manufacturer, Product
 iSerial
 First Insertion
 Last Insertion (Windows 7 only)
Page 47
Tracking USB Devices – Windows 7
REGISTRY REVIEW
Mounted Devices (System hive)
 Drive Letter
 Volume GUID
MountPoints2 (NTUSER.DAT)
 Identify active profile during insertion.
 An insertion date. (Win 7)
 Last insertion (XP)
Page 48
Tracking USB Devices – Windows 7
Setupapi.log / Setupapi.dev.log
• C:\Windows\Setupapi.log -WinXP
• C:\Windows\inf\Setupapi.dev.log -Win7, Vista
• Provides first insertion date
• Contains enough information to Identify device
• Date is less transient – text based
Page 49
Tracking USB Devices – Windows 7
C:\Windows\inf\Setupapi.dev.log
Windows 7
Page 50
Tracking USB Devices – Windows 7
Woanware –
USB Device Forensics
www.woanware.co.uk
Page 51
Tracking USB Devices – Windows 7
Woanware USB Device Forensics
A Closer look at the Output…
Vendor: Ven_FLASH
Product: Prod_Drive_AU_USB20
Version: Rev_8.07
Serial No: K0903000000000021370
Page 52
Tracking USB Devices – Windows 7
Woanware USB Device Forensics
EMDMgmt Date/Time: 04/24/12 2:31:50 PM (UTC)
EMDMgmt Volume Serial No: 2800047353
EMDMgmt Volume Serial No (Hex): A6E554F9
EMDMgmt Volume Name: NEW_LABEL
EMDMgmt Date/Time: 04/23/12 5:50:55 PM (UTC)
EMDMgmt Volume Serial No: 3323739785
EMDMgmt Volume Serial No (Hex): C61C3E89
EMDMgmt Volume Name: VOL_LABEL
Page 53
Tracking USB Devices – Windows 7
Woanware USB Device Forensics
VID: VID_058F
PID: PID_6387
ParentIdPrefix:
Drive Letter:
Volume Name:
GUID: 378922d0-8d6c-11e1-aebf-a4badb0193d2
MountPoint:
USBSTOR#Disk&Ven_FLASH&Prod_Drive_AU_USB20&R
ev_8.07#K0903000000000021370&0#{53f56307-b6bf11d0-94f2-00a0c91efb8b}
Page 54
Tracking USB Devices – Windows 7
Woanware USB Device Forensics
Install Date/Time: 23/04/2012 10:50:53 (Local) (setupapi.dev.log)
USBSTOR Date/Time:
Tuesday, April 24, 2012 22:35:59 Z (UTC)
DeviceClasses Date/Time (53f56307-b6bf-11d0-94f2-00a0c91efb8b):
Tuesday, April 24, 2012 22:35:59 Z (UTC)
DeviceClasses Date/Time (10497b1b-ba51-44e5-8318-a65c837b6661):
Monday, April 23, 2012 17:50:57 Z (UTC)
Enum\USB VIDPID Date/Time: Tuesday, April 24, 2012 22:35:59 Z (UTC)
MountPoints2 Date/Time: Tuesday, April 24, 2012 22:35:59 Z (UTC)
(File: ntuser.dat)
Page 55
Tracking USB Devices – Windows 7
Event Logs
Entries available in Vista, Win7 System Logs
Event ID’s 20001, 20003, 24576, 24577
Page 56
Tracking USB Devices – Windows 7
Event Logs
Page 57
Tracking USB Devices – Windows 7
Link Files
Page 58
Tracking USB Devices – Windows 7
Volume Shadow Copy : Restore Point
Volume Shadow Copy – Vista, Windows 7
 Complete copies of volume including registry, links etc
Restore Point – WinXP
 Copies of registry files
 Relatively inaccessible to user
Page 59
Tracking USB Devices – Windows 7
Keyword Search
Volume Serial Number
•Link Files,
•Prefetch entries indicating
executable run from USB
Volume Label
•Link Files,
•MRU lists in registry
iSerial Number
deleted registry strings
from USB USBSTOR,
MountedDevices,
Device Class entries.
Page 60
Tracking USB Devices – Windows 7
Thank You
Colin Cree
EFS e-Forensic Service Inc.
[email protected]
A special thank you to those in the computer forensic
community who share their discoveries in blogs, lists,
papers and books for the benefit of us all!
Page 61

similar documents