±Forensic Focus Partners

±Your Account


Nickname
Password


Forgotten password/username?


Membership:
New Today: 0
New Yesterday: 0
Overall: 27614
Visitors: 42

±Follow Forensic Focus

Join our LinkedIn group

Subscribe to news

Subscribe to forums

Subscribe to blog

Subscribe to tweets

Pitfalls of Interpreting Forensic Artifacts in the Registry

Discussions related to Forensic Focus webinars. Please use the appropriate topic for each webinar.
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Go to page Previous  1, 2, 3, 4, 5, 6, 7, 8 
  

Re: Pitfalls of Interpreting Forensic Artifacts in the Regis

Post Posted: Fri Nov 16, 2012 7:34 am

- JackyFox
I think you will understand where I’m going with this.


Not at all.

The references provided don't really help me understand, if I'm looking at a number of devices sitting on a table next to a Windows 7 laptop, which of those devices is, or might be, an MTP device. I agree that more testing is needed...but I'm a bit unclear as to how I could go about doing that testing.

Also, I see that your original question about Registry locations hasn't been addressed...  

keydet89
Senior Member
 
 
  

Re: Pitfalls of Interpreting Forensic Artifacts in the Regis

Post Posted: Fri Nov 16, 2012 11:55 am

- keydet89

The references provided don't really help me understand, if I'm looking at a number of devices sitting on a table next to a Windows 7 laptop, which of those devices is, or might be, an MTP device.

Maybe if you connect them to the windows 7 laptop instead of leaving them sitting near to it might help. Wink


Seriously now, this link (already provided):
support.creative.com/k...?sid=83635
Contains this text:
Media Transfer Protocol (MTP) is a protocol and accompanying set of drivers developed by Microsoft to connect portable devices to a Windows XP PC and synchronize digital media content between those devices and the PC.

Mass Storage Class (MSC) is a set of computing communications protocols that run on the Universal Serial Bus. All Creative MSC players are flash based devices. Not all MTP players are harddisk based some are flash based.

In Windows Device Manager, MSC Players are detected as USB Mass Storage Device while MTP players are detected as Portable Device.

an image titled "Detection of MSC":


and one titled "Detection of MTP":


that I thought were illustrative enough.

While I am rather familiar with "MSC devices" (USB hard disks or sticks, etc.) I am completely NOT familiar with MTP devices that seem like being mainly:
  • digital cameras
  • cellular phones or smartphones
  • MP3 or MP4 players and the like
(I actually seem to remember having had one such digital camera that came with such a bloated set of drivers/interface utility - and that was NOT accessible as USB mass storage device - that I quickly gave it away, buying instead another one that showed as "Mass Storage Device" - really cannot remember model/make of that one)

The same Creative link states that some of the devices (evidently MSC "by default") can be "upgraded to MTP", which seems to imply that you could have two identical devices next to your windows 7 laptop and one of them could be set as MSC and the other one "upgraded" to MTP.

jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 

jaclaz
Senior Member
 
 
  

Re: Pitfalls of Interpreting Forensic Artifacts in the Regis

Post Posted: Sat Nov 17, 2012 9:57 am

- keydet89


but I'm a bit unclear as to how I could go about doing that testing.


I really wish I had the time to research this but unfortunately I don't at the moment. Maybe it would help if I told you how I think I would approach it?

I would try to devise a set of experiments, something along the lines of what I did with the USB MSC tests.

- Set up several fresh systems, different operating systems.
- Make a multi-partitioned USB boot device for collecting registry snapshots (detailed in my dissertation).
- Go through a step by step process of performing actions that I want to analyse and taking snapshots.

In this case I would probably take a snapshot => install an MTP/PTP device => snaphot => remove device => snapshot => reinstall device => snapshot => run whatever software is used to sync or up/download files => snapshot => possibly try and transfer files via another route => snapshot

I would then use some control systems and do the same with MSC devices.

Once I had all my snapshots I would then analyse what artefacts I could identify/correlate that report MTP/PTP activity (I detail how I went about this for USB MSC activity in my dissertation). I would also see if I could find a single or combination of keys that would identify that MTP/PTP activity had occurred on a system and do some analysis of log activity on the system.

Armed with that information I think I would have a better idea what to look for and would use more fresh systems to do some complete image snapshots and look at the traces in that.

I hope this helps, I know it sounds like a lot of work and I'm sure the scope would grow as you progressed but I'm not sure that there are too many shortcuts.  

JackyFox
Member
 
 
  

Re: Pitfalls of Interpreting Forensic Artifacts in the Regis

Post Posted: Sun Nov 18, 2012 6:13 am

- jaclaz

Maybe if you connect them to the windows 7 laptop instead of leaving them sitting near to it might help. Wink


I would...if I knew what they were.

- jaclaz

...that I thought were illustrative enough.


When I asked which devices these were, this was similar to Jacky's question regarding Registry keys. Pointing to processes or code for detecting such devices doesn't really address either question.

- jaclaz
I am completely NOT familiar with MTP devices that seem like being mainly:
  • digital cameras
  • cellular phones or smartphones
  • MP3 or MP4 players and the like


Well, as I mentioned...I have seen what these "look like" on a system.

- jaclaz

The same Creative link states that some of the devices (evidently MSC "by default") can be "upgraded to MTP", which seems to imply that you could have two identical devices next to your windows 7 laptop and one of them could be set as MSC and the other one "upgraded" to MTP.


And I think that the point that some of us have been trying to get to is that the "usual process" for detecting which MSC devices have been connected to a Windows system, after that system has been imaged/acquired, may be insufficient to fully detect MTP devices.  

keydet89
Senior Member
 
 
  

Re: Pitfalls of Interpreting Forensic Artifacts in the Registry

Post Posted: Sun Nov 18, 2012 7:30 am

Going back to the more general title of the thread and dissertation, I see this is a very significant issue, and I think that it's great that Jacky brought it up. I know that too many times, I've seen reports where the existence of a file or folder path in the Registry is completely misinterpreted, largely because the analyst (as well as the senior analyst or supervisor reviewing their work) doesn't understand the nature and context of that artifact...what created or modified it, etc.

IMHO, Jacky's dissertation does a good job of pointing out that the widely accepted assumptions may not be entirely accurate. One of the pitfalls we face when analyzing computer-based data is that very often, we (as analysts) know too little about what actions or interactions had an effect on the artifact(s) in question. We can do testing based on hypotheses and replicate what we "see" in the data, but does that mean that this is the sum total set of actions that could have an impact or effect on that artifact? Not hardly.  

keydet89
Senior Member
 
 
Reply to topicReply to topic

Share this forum topic to encourage more replies



Page 8 of 8
Go to page Previous  1, 2, 3, 4, 5, 6, 7, 8