±Forensic Focus Partners

±Your Account


Nickname
Password


Forgotten password/username?


Membership:
New Today: 3
New Yesterday: 2
Overall: 27505
Visitors: 59

±Follow Forensic Focus

Join our LinkedIn group

Subscribe to news

Subscribe to forums

Subscribe to blog

Subscribe to tweets

Pitfalls of Interpreting Forensic Artifacts in the Registry

Discussions related to Forensic Focus webinars. Please use the appropriate topic for each webinar.
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Go to page Previous  1, 2, 3, 4, 5, 6, 7, 8  Next 
  

Re: Pitfalls of Interpreting Forensic Artifacts in the Registry

Post Posted: Tue Nov 13, 2012 12:26 am

I finally got time to watch the video and am quite impressed. Very interesting and educational. Thank you for sharing your research and knowledge.

Ken  

KPryor
Senior Member
 
 
  

Re: Pitfalls of Interpreting Forensic Artifacts in the Regis

Post Posted: Tue Nov 13, 2012 6:44 am

- JackyFox
Out of interest in the hives you have is a serial number recorded anywhere or do you believe that a USB storage device was installed without a serial number being registered? If they are sample hives rather than a users actual hives I would love look at them.


The hives in question are from my own system...I've connected several devices to it...specifically, a digital camera and my iTouch...that do not show up under the USBStor key. They do have serial numbers, so it's not a matter of whether or not a serial number was registered.

I think that questions raised by your dissertation can be addressed by taking another look at the process for not only determining devices that were connected to the system, but also for determining which user had access to those devices.  

keydet89
Senior Member
 
 
  

Re: Pitfalls of Interpreting Forensic Artifacts in the Regis

Post Posted: Tue Nov 13, 2012 4:11 pm

Thanks for coming back on my question. I can't comment on the digital camera as I don't know enough about it and probably wouldn't have that model here anyway. However I do have several ipods, both iOS and non iOS. It is my experience that the non iOS ipods have an option to "enable disk use" so that you can mount them and store files on them. These devices when disk enabled, do show up in USBstor. The iOS ipods & iphones I have don't give this option and don't show up as a storage device or mount as an explorer volume, hence no entry in USBstor. I know that there are utilities around that will let you mount iOS devices, to date I haven't tested them but I think in order for explorer to see them they would probably need to mount in the conventional way and would have an entry in USBstor.

I suppose where I'm going with this is, if I connect a USB keyboard or headset I'll get an entry in Enum\USB. However if I attempt to mount a device for storage via Windows explorer, I would expect an entry in USBstor. Out of interest did you attempt to download/upload a file to your ipod touch without using itunes? That would be really interesting if you have done that without mounting the drive? I think I have seen something about using itunes file sharing to sync data that was made to look as if it was from specific apps, tracking this would have been outside the scope of my research though.  

JackyFox
Member
 
 
  

Re: Pitfalls of Interpreting Forensic Artifacts in the Regis

Post Posted: Wed Nov 14, 2012 4:18 am

Cannot say if useful, but there are at least two "ways" a USB "camera" or "music player" device can be connected to a Windows NT family OS.

One is the known "Mass Storage Device" or MSC - mass storage class, in which the device behaves exactly as if it was a USB stick or Hard disk - the other one is MTP - Media Transfer Protocol or PTP - Picture Transfer Protocol:
en.wikipedia.org/wiki/...r_Protocol
en.wikipedia.org/wiki/...r_Protocol

Of course USBstor is only connected to MSC connected devices.

jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 

jaclaz
Senior Member
 
 
  

Re: Pitfalls of Interpreting Forensic Artifacts in the Regis

Post Posted: Wed Nov 14, 2012 1:28 pm

Hi Jaclaz,

Thanks for that.

Do you know if any MTP device registry parsers exist? It would be interesting to pull all the MTP pieces from the registry and correlate them. I think there is data in Windows Portable devices along with Enum\USB on MTP devices and I'm sure other areas and device specific logs too. Still that's a whole other day's work......  

JackyFox
Member
 
 
  

Re: Pitfalls of Interpreting Forensic Artifacts in the Regis

Post Posted: Wed Nov 14, 2012 2:28 pm

- JackyFox
Hi Jaclaz,

Thanks for that.

Do you know if any MTP device registry parsers exist? It would be interesting to pull all the MTP pieces from the registry and correlate them. I think there is data in Windows Portable devices along with Enum\USB on MTP devices and I'm sure other areas and device specific logs too. Still that's a whole other day's work......


I guess you (I, we) opened a can of worms Shocked .
There are different settings (seemingly) in XP, Vista and 7 (and let's for the moment keep 8 aside) and in different versions of WMP, see:
msdn.microsoft.com/en-...s.85).aspx
forum.xda-developers.c...?t=1291293
and I guess that the same differences may be reflected in the Registry...

This is also something that may have some relevance :
www.symantec.com/conne...nt-7940181

This is "historical", but could also be of interest:
www.directionsonmicros...msf_sb.htm

It seems like in windows 7 the good MS guys have somehow "expanded" the protocol, with their "Device Experience" so it is possible that there is an additional set of data coming from a "responder" (if the peripheral/device also runs 7 in the "compact" version), see:
blogs.windows.com/wind...dated.aspx
(though the images seem like being not anymore accessible, as well for the "main" page that now redirects to the "new, improved" Windows 8 Device experience)

msdn.microsoft.com/en-...56287.aspx
msdn.microsoft.com/en-...63545.aspx

The specifications for MTP are seemingly public (or at least linked publicly from the MS site above):
www.usb.org/developers...TP_1.0.zip

It also seems how the protocol (or whatever) is very likely to get damaged, using improper "Upper Filters" possibly by Windows Update itself, see :
answers.microsoft.com/...0b8cde315?
discussions.apple.com/...p;tstart=0

I seem to find not (beside an actual parser) some good description/documentation about the whole set of registry keys affected by the connection of a (USB) MTP device and related drivers, it is like the whole Forensics community is ignoring this. Question
I could only find this "passing by" reference on the whole forum:
www.forensicfocus.com/...4/start=0/

It could be a good topic for a new research/thesis....

jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 

jaclaz
Senior Member
 
 
  

Re: Pitfalls of Interpreting Forensic Artifacts in the Regis

Post Posted: Wed Nov 14, 2012 3:43 pm

- JackyFox

Do you know if any MTP device registry parsers exist?


What is an "MTP device registry"?

The first link that jaclaz pointed to was on a page beneath the WPD (Windows Portable Device) heading...there's a key for this in the Software hive.

From this link: www.forensicfocus.com/...4/start=0/
Anyone have a "setup.dev.log" file on their system?  

keydet89
Senior Member
 
 
Reply to topicReply to topic

Share this forum topic to encourage more replies



Page 6 of 8
Go to page Previous  1, 2, 3, 4, 5, 6, 7, 8  Next