±Your Account
Membership:
New Today: 0
New Yesterday: 8
Overall: 24189
Visitors: 84±Latest Webinar
±Latest Articles
· Geo-tagging & Photo Tracking On iOS
· KS – an open source bash script for indexing data
· Mobile Device Geotags & Armed Forces
· Categorization of embedded system forensic collection methodologies
· Interpretation of NTFS Timestamps
· What are ‘gdocs’? Google Drive Data – part 2
· What are ‘gdocs’? Google Drive Data
· Bad Sector Recovery
· Forensic Artifact: Malware Analysis in Windows 8
· Windows 8: Important Considerations for Computer Forensics and Electronic Discovery
· KS – an open source bash script for indexing data
· Mobile Device Geotags & Armed Forces
· Categorization of embedded system forensic collection methodologies
· Interpretation of NTFS Timestamps
· What are ‘gdocs’? Google Drive Data – part 2
· What are ‘gdocs’? Google Drive Data
· Bad Sector Recovery
· Forensic Artifact: Malware Analysis in Windows 8
· Windows 8: Important Considerations for Computer Forensics and Electronic Discovery
±Follow Us
±Latest Jobs
Back to top
Skip to content
Skip to menu
Back to top
Back to main
Skip to menu
Go to page Previous 1, 2, 3, 4, 5, 6, 7, 8 Next
The hives in question are from my own system...I've connected several devices to it...specifically, a digital camera and my iTouch...that do not show up under the USBStor key. They do have serial numbers, so it's not a matter of whether or not a serial number was registered.
I think that questions raised by your dissertation can be addressed by taking another look at the process for not only determining devices that were connected to the system, but also for determining which user had access to those devices.
I guess you (I, we) opened a can of worms
.
There are different settings (seemingly) in XP, Vista and 7 (and let's for the moment keep 8 aside) and in different versions of WMP, see:
msdn.microsoft.com/en-...s.85).aspx
forum.xda-developers.c...?t=1291293
and I guess that the same differences may be reflected in the Registry...
This is also something that may have some relevance :
www.symantec.com/conne...nt-7940181
This is "historical", but could also be of interest:
www.directionsonmicros...msf_sb.htm
It seems like in windows 7 the good MS guys have somehow "expanded" the protocol, with their "Device Experience" so it is possible that there is an additional set of data coming from a "responder" (if the peripheral/device also runs 7 in the "compact" version), see:
blogs.windows.com/wind...dated.aspx
(though the images seem like being not anymore accessible, as well for the "main" page that now redirects to the "new, improved" Windows 8 Device experience)
msdn.microsoft.com/en-...56287.aspx
msdn.microsoft.com/en-...63545.aspx
The specifications for MTP are seemingly public (or at least linked publicly from the MS site above):
www.usb.org/developers...TP_1.0.zip
It also seems how the protocol (or whatever) is very likely to get damaged, using improper "Upper Filters" possibly by Windows Update itself, see :
answers.microsoft.com/...0b8cde315?
discussions.apple.com/...p;tstart=0
I seem to find not (beside an actual parser) some good description/documentation about the whole set of registry keys affected by the connection of a (USB) MTP device and related drivers, it is like the whole Forensics community is ignoring this.
I could only find this "passing by" reference on the whole forum:
www.forensicfocus.com/...4/start=0/
It could be a good topic for a new research/thesis....
jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. -
What is an "MTP device registry"?
The first link that jaclaz pointed to was on a page beneath the WPD (Windows Portable Device) heading...there's a key for this in the Software hive.
From this link: www.forensicfocus.com/...4/start=0/
Anyone have a "setup.dev.log" file on their system?
Pitfalls of Interpreting Forensic Artifacts in the Registry
Re: Pitfalls of Interpreting Forensic Artifacts in the Registry
Posted: Tue Nov 13, 2012 1:26 am
I finally got time to watch the video and am quite impressed. Very interesting and educational. Thank you for sharing your research and knowledge.
Ken
Ken
-
KPryor - Senior Member
Re: Pitfalls of Interpreting Forensic Artifacts in the Regis
Posted: Tue Nov 13, 2012 7:44 am
- JackyFoxOut of interest in the hives you have is a serial number recorded anywhere or do you believe that a USB storage device was installed without a serial number being registered? If they are sample hives rather than a users actual hives I would love look at them.
The hives in question are from my own system...I've connected several devices to it...specifically, a digital camera and my iTouch...that do not show up under the USBStor key. They do have serial numbers, so it's not a matter of whether or not a serial number was registered.
I think that questions raised by your dissertation can be addressed by taking another look at the process for not only determining devices that were connected to the system, but also for determining which user had access to those devices.
-
keydet89 - Senior Member
Re: Pitfalls of Interpreting Forensic Artifacts in the Regis
Posted: Tue Nov 13, 2012 5:11 pm
Thanks for coming back on my question. I can't comment on the digital camera as I don't know enough about it and probably wouldn't have that model here anyway. However I do have several ipods, both iOS and non iOS. It is my experience that the non iOS ipods have an option to "enable disk use" so that you can mount them and store files on them. These devices when disk enabled, do show up in USBstor. The iOS ipods & iphones I have don't give this option and don't show up as a storage device or mount as an explorer volume, hence no entry in USBstor. I know that there are utilities around that will let you mount iOS devices, to date I haven't tested them but I think in order for explorer to see them they would probably need to mount in the conventional way and would have an entry in USBstor.
I suppose where I'm going with this is, if I connect a USB keyboard or headset I'll get an entry in Enum\USB. However if I attempt to mount a device for storage via Windows explorer, I would expect an entry in USBstor. Out of interest did you attempt to download/upload a file to your ipod touch without using itunes? That would be really interesting if you have done that without mounting the drive? I think I have seen something about using itunes file sharing to sync data that was made to look as if it was from specific apps, tracking this would have been outside the scope of my research though.
I suppose where I'm going with this is, if I connect a USB keyboard or headset I'll get an entry in Enum\USB. However if I attempt to mount a device for storage via Windows explorer, I would expect an entry in USBstor. Out of interest did you attempt to download/upload a file to your ipod touch without using itunes? That would be really interesting if you have done that without mounting the drive? I think I have seen something about using itunes file sharing to sync data that was made to look as if it was from specific apps, tracking this would have been outside the scope of my research though.
-
JackyFox - Member
Re: Pitfalls of Interpreting Forensic Artifacts in the Regis
Posted: Wed Nov 14, 2012 5:18 am
Cannot say if useful, but there are at least two "ways" a USB "camera" or "music player" device can be connected to a Windows NT family OS.
One is the known "Mass Storage Device" or MSC - mass storage class, in which the device behaves exactly as if it was a USB stick or Hard disk - the other one is MTP - Media Transfer Protocol or PTP - Picture Transfer Protocol:
en.wikipedia.org/wiki/...r_Protocol
en.wikipedia.org/wiki/...r_Protocol
Of course USBstor is only connected to MSC connected devices.
jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. -
One is the known "Mass Storage Device" or MSC - mass storage class, in which the device behaves exactly as if it was a USB stick or Hard disk - the other one is MTP - Media Transfer Protocol or PTP - Picture Transfer Protocol:
en.wikipedia.org/wiki/...r_Protocol
en.wikipedia.org/wiki/...r_Protocol
Of course USBstor is only connected to MSC connected devices.
jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. -
-
jaclaz - Senior Member
Re: Pitfalls of Interpreting Forensic Artifacts in the Regis
Posted: Wed Nov 14, 2012 2:28 pm
Hi Jaclaz,
Thanks for that.
Do you know if any MTP device registry parsers exist? It would be interesting to pull all the MTP pieces from the registry and correlate them. I think there is data in Windows Portable devices along with Enum\USB on MTP devices and I'm sure other areas and device specific logs too. Still that's a whole other day's work......
Thanks for that.
Do you know if any MTP device registry parsers exist? It would be interesting to pull all the MTP pieces from the registry and correlate them. I think there is data in Windows Portable devices along with Enum\USB on MTP devices and I'm sure other areas and device specific logs too. Still that's a whole other day's work......
-
JackyFox - Member
Re: Pitfalls of Interpreting Forensic Artifacts in the Regis
Posted: Wed Nov 14, 2012 3:28 pm
- JackyFoxHi Jaclaz,
Thanks for that.
Do you know if any MTP device registry parsers exist? It would be interesting to pull all the MTP pieces from the registry and correlate them. I think there is data in Windows Portable devices along with Enum\USB on MTP devices and I'm sure other areas and device specific logs too. Still that's a whole other day's work......
I guess you (I, we) opened a can of worms
.There are different settings (seemingly) in XP, Vista and 7 (and let's for the moment keep 8 aside) and in different versions of WMP, see:
msdn.microsoft.com/en-...s.85).aspx
forum.xda-developers.c...?t=1291293
and I guess that the same differences may be reflected in the Registry...
This is also something that may have some relevance :
www.symantec.com/conne...nt-7940181
This is "historical", but could also be of interest:
www.directionsonmicros...msf_sb.htm
It seems like in windows 7 the good MS guys have somehow "expanded" the protocol, with their "Device Experience" so it is possible that there is an additional set of data coming from a "responder" (if the peripheral/device also runs 7 in the "compact" version), see:
blogs.windows.com/wind...dated.aspx
(though the images seem like being not anymore accessible, as well for the "main" page that now redirects to the "new, improved" Windows 8 Device experience)
msdn.microsoft.com/en-...56287.aspx
msdn.microsoft.com/en-...63545.aspx
The specifications for MTP are seemingly public (or at least linked publicly from the MS site above):
www.usb.org/developers...TP_1.0.zip
It also seems how the protocol (or whatever) is very likely to get damaged, using improper "Upper Filters" possibly by Windows Update itself, see :
answers.microsoft.com/...0b8cde315?
discussions.apple.com/...p;tstart=0
I seem to find not (beside an actual parser) some good description/documentation about the whole set of registry keys affected by the connection of a (USB) MTP device and related drivers, it is like the whole Forensics community is ignoring this.
I could only find this "passing by" reference on the whole forum:
www.forensicfocus.com/...4/start=0/
It could be a good topic for a new research/thesis....
jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. -
-
jaclaz - Senior Member
Re: Pitfalls of Interpreting Forensic Artifacts in the Regis
Posted: Wed Nov 14, 2012 4:43 pm
- JackyFox
Do you know if any MTP device registry parsers exist?
What is an "MTP device registry"?
The first link that jaclaz pointed to was on a page beneath the WPD (Windows Portable Device) heading...there's a key for this in the Software hive.
From this link: www.forensicfocus.com/...4/start=0/
Anyone have a "setup.dev.log" file on their system?
-
keydet89 - Senior Member