±Partners and Sponsors

±Your Account


Nickname
Password


Forgotten password/username?


Membership:
New Today: 0
New Yesterday: 1
Overall: 26919
Visitors: 50

±Follow Forensic Focus

Join our LinkedIn group

Subscribe to news

Subscribe to forums

Subscribe to blog

Subscribe to tweets

USB 1st insertion dates and setupapi anomalies

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
 
  

USB 1st insertion dates and setupapi anomalies

Post Posted: Thu Jan 10, 2013 3:03 am

I have been updating my mounted devices script and verifying results within a Windows 7 Professional 64 bit environment on an Intel Core Duo T9600(one machine). I have noted, on several occasions, that the supposed 1st insertion dates contained in the setupapi.dev.log are incorrect and out by many months.

I Have noticed this as I have been using the "MediaChangeNotification" subkey of the "USBSTOR" key - I have found that this is a good indicator of 1st insertion dates and have tested it against the new "Data" time-stamp values contained in the "Properties" key(Mentioned by Harlan Carvey recently), and actual 1st insertion dates and they have been consistent and correct.

Any way the results were as follows:

setupapi.dev.log section start date value for the specific USB is 2012/12/06 17:47:52.586

The last written date of the MediaChangeNotification key & "Data" value is 2012/09/12 5:36:02 PM (this is the correct time).

setupapi - 2012/11/22 11:45:26.606
MediaChangeNotification/Data key/value - 2012/01/13 11:08:22 AM (correct time)

There is only one value in the setupapi for the specific USB's and I cant find any old setupapi
log/backup files(if they exist)

Has anyone noticed this behavior or have an explanation for it?
Having the date in the setupapi being an earlier date is easily explained, but the date being later presents a problem.

Considering that the setupapi is recommended by several sources as the place to go for the most reliable 1st insertion dates - the above scenario could present a problem for investigators especially since I haven't yet checked all values for all USB devices connected to my systems.

Any help would be appreciated... I have searched many forums etc with no luck or mention of this problem.

B.Jones
SEEB R&D  

jone2bri
Newbie
 
 
  

Re: USB 1st insertion dates and setupapi anomalies

Post Posted: Thu Jan 10, 2013 5:26 am

What is the earliest date in your setupapi? Does it precede the date from the MediaChangeNotification regkey?

Also, just off the top of my head, are the setupapi dates correct at all? Did you insert the USB key at that point? And was it into the same USB socket?

My thought behind this is that IIRC Windows XP used to regard a USB device as a "new" device if it was plugged into a different USB socket/slot/connector. So if you had previously only plugged your USB stick into slot 1 (for example), when you plug it into slot 2 you would get the whole "Installing software.." shebang. So perhaps setupapi might log this as a "new" device, whereas once it reaches the registry it recognises that it has been plugged in before.

Just a (probably tremendously wrong) train of thought.  

Chris_Ed
Senior Member
 
 
  

Re: USB 1st insertion dates and setupapi anomalies

Post Posted: Thu Jan 10, 2013 7:14 am

- Chris_Ed
What is the earliest date in your setupapi? Does it precede the date from the MediaChangeNotification regkey?

Also, just off the top of my head, are the setupapi dates correct at all? Did you insert the USB key at that point? And was it into the same USB socket?

My thought behind this is that IIRC Windows XP used to regard a USB device as a "new" device if it was plugged into a different USB socket/slot/connector. So if you had previously only plugged your USB stick into slot 1 (for example), when you plug it into slot 2 you would get the whole "Installing software.." shebang. So perhaps setupapi might log this as a "new" device, whereas once it reaches the registry it recognises that it has been plugged in before.

Just a (probably tremendously wrong) train of thought.


The MediaChangeNotification key predates any date in the setupapi... which I dont get...

Some of the dates in the setupapi are correct(the ones I have checked). I also thought about it being a different slot, but wouldn't it have the install for the earlier setup on the original socket in the setuapi as well ? The USB in question(tracked by the device serial number) only turns up once in the setuap and its the wrong date. Being a log file of sorts you would think it would not overwrite or remove old entries.

I cant verify the setupapi date, it may have been plugged in at that time in a different socket(i have used 4 different slots at one time or another), but it was not the 1st insertion date.....
Maybe there is a size/time limit on the setuapi, so when it reaches a certain limit Windows starts a new one and deletes the old? not to helpful or reliable for examiners if this is the case...

Looks like more testing.... thanks for you input...  

jone2bri
Newbie
 
 
  

Re: USB 1st insertion dates and setupapi anomalies

Post Posted: Wed Jan 16, 2013 5:46 pm

Has anyone else seen this?
From looking at what Brian's done I had no explanation as to why the setupapi was reporting a date of later than the install date in the registry. Unforuntately we havent been able to recreate it either and we couldnt determine when the actual first install date of the usb key was.

So the question is, is setupapi still the most reliable way of determining the first time a usb drive was inserted into a system?  

randomaccess
Senior Member
 
 
Reply to topicReply to topic

Share this forum topic to encourage more replies



Page 1 of 1