±Your Account
Membership:
New Today: 8
New Yesterday: 7
Overall: 24189
Visitors: 44±Latest Webinar
±Latest Articles
· Geo-tagging & Photo Tracking On iOS
· KS – an open source bash script for indexing data
· Mobile Device Geotags & Armed Forces
· Categorization of embedded system forensic collection methodologies
· Interpretation of NTFS Timestamps
· What are ‘gdocs’? Google Drive Data – part 2
· What are ‘gdocs’? Google Drive Data
· Bad Sector Recovery
· Forensic Artifact: Malware Analysis in Windows 8
· Windows 8: Important Considerations for Computer Forensics and Electronic Discovery
· KS – an open source bash script for indexing data
· Mobile Device Geotags & Armed Forces
· Categorization of embedded system forensic collection methodologies
· Interpretation of NTFS Timestamps
· What are ‘gdocs’? Google Drive Data – part 2
· What are ‘gdocs’? Google Drive Data
· Bad Sector Recovery
· Forensic Artifact: Malware Analysis in Windows 8
· Windows 8: Important Considerations for Computer Forensics and Electronic Discovery
±Follow Us
±Latest Jobs
Back to top
Skip to content
Skip to menu
Back to top
Back to main
Skip to menu
Go to page Previous 1, 2, 3, 4, 5, 6, 7, 8
Not at all.
The references provided don't really help me understand, if I'm looking at a number of devices sitting on a table next to a Windows 7 laptop, which of those devices is, or might be, an MTP device. I agree that more testing is needed...but I'm a bit unclear as to how I could go about doing that testing.
Also, I see that your original question about Registry locations hasn't been addressed...
Maybe if you connect them to the windows 7 laptop instead of leaving them sitting near to it might help.
Seriously now, this link (already provided):
support.creative.com/k...?sid=83635
Contains this text:
an image titled "Detection of MSC":
and one titled "Detection of MTP":
that I thought were illustrative enough.
While I am rather familiar with "MSC devices" (USB hard disks or sticks, etc.) I am completely NOT familiar with MTP devices that seem like being mainly:
The same Creative link states that some of the devices (evidently MSC "by default") can be "upgraded to MTP", which seems to imply that you could have two identical devices next to your windows 7 laptop and one of them could be set as MSC and the other one "upgraded" to MTP.
jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. -
I really wish I had the time to research this but unfortunately I don't at the moment. Maybe it would help if I told you how I think I would approach it?
I would try to devise a set of experiments, something along the lines of what I did with the USB MSC tests.
- Set up several fresh systems, different operating systems.
- Make a multi-partitioned USB boot device for collecting registry snapshots (detailed in my dissertation).
- Go through a step by step process of performing actions that I want to analyse and taking snapshots.
In this case I would probably take a snapshot => install an MTP/PTP device => snaphot => remove device => snapshot => reinstall device => snapshot => run whatever software is used to sync or up/download files => snapshot => possibly try and transfer files via another route => snapshot
I would then use some control systems and do the same with MSC devices.
Once I had all my snapshots I would then analyse what artefacts I could identify/correlate that report MTP/PTP activity (I detail how I went about this for USB MSC activity in my dissertation). I would also see if I could find a single or combination of keys that would identify that MTP/PTP activity had occurred on a system and do some analysis of log activity on the system.
Armed with that information I think I would have a better idea what to look for and would use more fresh systems to do some complete image snapshots and look at the traces in that.
I hope this helps, I know it sounds like a lot of work and I'm sure the scope would grow as you progressed but I'm not sure that there are too many shortcuts.
I would...if I knew what they were.
When I asked which devices these were, this was similar to Jacky's question regarding Registry keys. Pointing to processes or code for detecting such devices doesn't really address either question.
Well, as I mentioned...I have seen what these "look like" on a system.
And I think that the point that some of us have been trying to get to is that the "usual process" for detecting which MSC devices have been connected to a Windows system, after that system has been imaged/acquired, may be insufficient to fully detect MTP devices.
Pitfalls of Interpreting Forensic Artifacts in the Registry
Re: Pitfalls of Interpreting Forensic Artifacts in the Regis
Posted: Fri Nov 16, 2012 8:34 am
- JackyFoxI think you will understand where I’m going with this.
Not at all.
The references provided don't really help me understand, if I'm looking at a number of devices sitting on a table next to a Windows 7 laptop, which of those devices is, or might be, an MTP device. I agree that more testing is needed...but I'm a bit unclear as to how I could go about doing that testing.
Also, I see that your original question about Registry locations hasn't been addressed...
-
keydet89 - Senior Member
Re: Pitfalls of Interpreting Forensic Artifacts in the Regis
Posted: Fri Nov 16, 2012 12:55 pm
- keydet89
The references provided don't really help me understand, if I'm looking at a number of devices sitting on a table next to a Windows 7 laptop, which of those devices is, or might be, an MTP device.
Maybe if you connect them to the windows 7 laptop instead of leaving them sitting near to it might help.
Seriously now, this link (already provided):
support.creative.com/k...?sid=83635
Contains this text:
Media Transfer Protocol (MTP) is a protocol and accompanying set of drivers developed by Microsoft to connect portable devices to a Windows XP PC and synchronize digital media content between those devices and the PC.
Mass Storage Class (MSC) is a set of computing communications protocols that run on the Universal Serial Bus. All Creative MSC players are flash based devices. Not all MTP players are harddisk based some are flash based.
In Windows Device Manager, MSC Players are detected as USB Mass Storage Device while MTP players are detected as Portable Device.
an image titled "Detection of MSC":
and one titled "Detection of MTP":
that I thought were illustrative enough.
While I am rather familiar with "MSC devices" (USB hard disks or sticks, etc.) I am completely NOT familiar with MTP devices that seem like being mainly:
- digital cameras
- cellular phones or smartphones
- MP3 or MP4 players and the like
The same Creative link states that some of the devices (evidently MSC "by default") can be "upgraded to MTP", which seems to imply that you could have two identical devices next to your windows 7 laptop and one of them could be set as MSC and the other one "upgraded" to MTP.
jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. -
-
jaclaz - Senior Member
Re: Pitfalls of Interpreting Forensic Artifacts in the Regis
Posted: Sat Nov 17, 2012 10:57 am
- keydet89
but I'm a bit unclear as to how I could go about doing that testing.
I really wish I had the time to research this but unfortunately I don't at the moment. Maybe it would help if I told you how I think I would approach it?
I would try to devise a set of experiments, something along the lines of what I did with the USB MSC tests.
- Set up several fresh systems, different operating systems.
- Make a multi-partitioned USB boot device for collecting registry snapshots (detailed in my dissertation).
- Go through a step by step process of performing actions that I want to analyse and taking snapshots.
In this case I would probably take a snapshot => install an MTP/PTP device => snaphot => remove device => snapshot => reinstall device => snapshot => run whatever software is used to sync or up/download files => snapshot => possibly try and transfer files via another route => snapshot
I would then use some control systems and do the same with MSC devices.
Once I had all my snapshots I would then analyse what artefacts I could identify/correlate that report MTP/PTP activity (I detail how I went about this for USB MSC activity in my dissertation). I would also see if I could find a single or combination of keys that would identify that MTP/PTP activity had occurred on a system and do some analysis of log activity on the system.
Armed with that information I think I would have a better idea what to look for and would use more fresh systems to do some complete image snapshots and look at the traces in that.
I hope this helps, I know it sounds like a lot of work and I'm sure the scope would grow as you progressed but I'm not sure that there are too many shortcuts.
-
JackyFox - Member
Re: Pitfalls of Interpreting Forensic Artifacts in the Regis
Posted: Sun Nov 18, 2012 7:13 am
- jaclaz
Maybe if you connect them to the windows 7 laptop instead of leaving them sitting near to it might help.
I would...if I knew what they were.
- jaclaz
...that I thought were illustrative enough.
When I asked which devices these were, this was similar to Jacky's question regarding Registry keys. Pointing to processes or code for detecting such devices doesn't really address either question.
- jaclazI am completely NOT familiar with MTP devices that seem like being mainly:
- digital cameras
- cellular phones or smartphones
- MP3 or MP4 players and the like
Well, as I mentioned...I have seen what these "look like" on a system.
- jaclaz
The same Creative link states that some of the devices (evidently MSC "by default") can be "upgraded to MTP", which seems to imply that you could have two identical devices next to your windows 7 laptop and one of them could be set as MSC and the other one "upgraded" to MTP.
And I think that the point that some of us have been trying to get to is that the "usual process" for detecting which MSC devices have been connected to a Windows system, after that system has been imaged/acquired, may be insufficient to fully detect MTP devices.
-
keydet89 - Senior Member
Re: Pitfalls of Interpreting Forensic Artifacts in the Registry
Posted: Sun Nov 18, 2012 8:30 am
Going back to the more general title of the thread and dissertation, I see this is a very significant issue, and I think that it's great that Jacky brought it up. I know that too many times, I've seen reports where the existence of a file or folder path in the Registry is completely misinterpreted, largely because the analyst (as well as the senior analyst or supervisor reviewing their work) doesn't understand the nature and context of that artifact...what created or modified it, etc.
IMHO, Jacky's dissertation does a good job of pointing out that the widely accepted assumptions may not be entirely accurate. One of the pitfalls we face when analyzing computer-based data is that very often, we (as analysts) know too little about what actions or interactions had an effect on the artifact(s) in question. We can do testing based on hypotheses and replicate what we "see" in the data, but does that mean that this is the sum total set of actions that could have an impact or effect on that artifact? Not hardly.
IMHO, Jacky's dissertation does a good job of pointing out that the widely accepted assumptions may not be entirely accurate. One of the pitfalls we face when analyzing computer-based data is that very often, we (as analysts) know too little about what actions or interactions had an effect on the artifact(s) in question. We can do testing based on hypotheses and replicate what we "see" in the data, but does that mean that this is the sum total set of actions that could have an impact or effect on that artifact? Not hardly.
-
keydet89 - Senior Member