Notifications
Clear all

USBStor

9 Posts
7 Users
0 Likes
885 Views
(@frostyx4)
Posts: 11
Active Member
Topic starter
 

I have a case where a member is stating that they did not connect any USB Devices to the computer. When I look at the USBStor I find 4 USB Devices had been connected on the day in question. The member has stated that a tech had remoted into the computer to fix several issues, and had possibly used USB Devices to install the fixes. I believe that the USB devices need to be directly (physically) connected to the system to have it register in the USBStor, is this correct. I am unable to recreate this in my shop.

 
Posted : 25/08/2015 9:13 pm
minime2k9
(@minime2k9)
Posts: 481
Honorable Member
 

You could set up a couple of virtual machines in a virtual network to test this, if you don't have enough hardware to do it 'normally'
Other things to consider
When did the 'remote assistance' take place?
What was the last plugged in time of the devices?
Any evidence of access to files on these devices (Shellbags, Windows.edb, link files etc)?
Any evidence of remote access in the log files?
Were all the devices first seen a the same time or spread out over a period?
Were all the devices attached storage devices or were they wireless adapters etc?

 
Posted : 26/08/2015 11:22 am
(@frostyx4)
Posts: 11
Active Member
Topic starter
 

minime2k9
Here are the answers to your questions. I am presently creating several VM's to test this out. So far it only shows on the main system and not the remoted system.

When did the 'remote assistance' take place? This happened prior to the USB Device being connected.
What was the last plugged in time of the devices? The Last Plug in time is when the member is logged in.
Any evidence of access to files on these devices (Shellbags, Windows.edb, link files etc)? A File with a PuP was accessed and triggered an alert.

Any evidence of remote access in the log files? Yes it does show the remote access by the tech staff.

Were all the devices first seen a the same time or spread out over a period? The two devices in question show the same connection times with in seconds of each other.

Were all the devices attached storage devices or were they wireless adapters etc? All were Kingston USB Devices.

 
Posted : 26/08/2015 9:05 pm
jhup
 jhup
(@jhup)
Posts: 1442
Noble Member
 

You might also want to have a discussion with the "tech" as to what was the exact process she used for fixing those issues.

In normal circumstances, a local USBStor (at the tech) would never show up on a remote node (target machine).

[…] The member has stated that a tech had remoted into the computer to fix several issues, and had possibly used USB Devices to install the fixes. […]

 
Posted : 26/08/2015 10:54 pm
(@athulin)
Posts: 1156
Noble Member
 

Were all the devices attached storage devices or were they wireless adapters etc? All were Kingston USB Devices.

Can you identify them? I mean, as to physical size etc.? Some of these extremely minimal USB drives (perhaps Kingston DataTraveler Micro) can easily be connected to a computer, yet not all users will be know they're there. (SanDisk Ultra Fit is a good example)

And occasionally – not necessarily in this case – you find an external USB device that doubles as a USB mass storage device. Some computer-end connectors for wireless mice do double duty, and I've seen at least one wired mouse that had a mass storage on board.

Other USB weirdness is also technically possible, so don't ignore the actual USB network for what the user may think it is.

 
Posted : 26/08/2015 11:43 pm
(@trewmte)
Posts: 1877
Noble Member
 

I read your original question, but this may be worth asking out loud anyway…

1) Which OS is relevant here?
2) Did you look to see if there is any trace evidence in "setupapi.dev.log"?

Your question reminds me of a useful article written back in 2011 (and is still available on the internet) written by Chris Sanders. You might wish to read it, if you haven't already

http//www.windowsecurity.com/articles-tutorials/authentication_and_encryption/Extracting-USB-Artifacts-from-Windows-7.html

 
Posted : 26/08/2015 11:49 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

I believe that the USB devices need to be directly (physically) connected to the system to have it register in the USBStor, is this correct.

Sure, the device needs to have been physically connected to the PC locally.
And yes, the setupapi,log or the setupapi.dev.log will have an entry for the connection
http//forensicswiki.org/wiki/USB_History_Viewing
https://www.magnetforensics.com/computer-forensics/how-to-analyze-usb-device-history-in-windows

jaclaz

 
Posted : 27/08/2015 1:53 pm
(@cults14)
Posts: 367
Reputable Member
 

I'm confused.

To have a device appear in USBStor you need to plug it in to the computer right? To plug in a device you need to be right there at the computer don't you? So if the tech (remote) was never at the computer, someone else plugged the device in.

Normal USB analysis may show up which user profile is associated with the the device(s), but that doesn't put the user at the keyboard.

 
Posted : 27/08/2015 3:26 pm
(@frostyx4)
Posts: 11
Active Member
Topic starter
 

I would like to take this opportunity to thank you all for your response, you have confirmed what I thought and what everything I have read and understood. I now can proceed with the proof that the remote tech did not create this issue.

 
Posted : 01/09/2015 1:47 am
Share: