±Partners and Sponsors

±Your Account


Nickname
Password


Forgotten password/username?


Membership:
New Today: 0
New Yesterday: 13
Overall: 26959
Visitors: 90

±Follow Forensic Focus

Join our LinkedIn group

Subscribe to news

Subscribe to forums

Subscribe to blog

Subscribe to tweets

Missing 'USBStor' Registry key a sign of foul play?

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Go to page 1, 2  Next 
  

Missing 'USBStor' Registry key a sign of foul play?

Post Posted: Tue May 27, 2008 8:18 am

I am looking for the evidence of the last usage of USB drives. I have found the other discussions on the forum regarding this topic. Most of them recommend looking at the devices under System\CurrentControlSet\Enum\USBStor. In my case, the system has a 'USB' key in this registry location but no 'USBStor'. What does this mean? Could the user have deleted it? Or is something else in play?

The usbstor.inf file shows numerous devices:

MSFT="Microsoft"
MfgName="Microsoft"

USB\VID_03EE&PID_0000.DeviceDesc = "Mitsumi USB CD-R/RW Drive"
USB\VID_03EE&PID_6901.DeviceDesc = "Mitsumi USB Floppy"
USB\VID_03F0&PID_0107.DeviceDesc = "HP USB CD-Writer Plus"
USB\VID_0409&PID_002C.DeviceDesc = "NEC Clik!-USB Drive"
USB\VID_04E6&PID_0001.DeviceDesc = "USB ATAPI Storage Device"
USB\VID_04E6&PID_0101.DeviceDesc = "USB ATAPI Storage Device"
USB\VID_057B&PID_0000.DeviceDesc = "Y-E Data USB Floppy"
USB\VID_059B&PID_0001.DeviceDesc = "Iomega USB Zip 100"
USB\VID_059B&PID_0030.DeviceDesc = "Iomega USB Zip 250"
USB\VID_059B&PID_0031.DeviceDesc = "Iomega USB Zip 100"
USB\VID_059F&PID_A601.DeviceDesc = "LaCie USB Hard Drive"
USB\VID_0644&PID_0000.DeviceDesc = "TEAC USB Floppy"
USB\VID_0693&PID_0002.DeviceDesc = "USB SmartMedia Reader/Writer"
USB\VID_0693&PID_0003.DeviceDesc = "USB CompactFlash Reader/Writer"
USB\VID_0718&PID_0002.DeviceDesc = "Imation SuperDisk USB 120MB"
USB\VID_0781&PID_0001.DeviceDesc = "SanDisk USB ImageMate"


Why the apparent 'disconnect' between these two pieces of evidence?

Thanks!  

rcraig1000
Newbie
 
 
  

Re: Missing 'USBStor' Registry key a sign of foul play?

Post Posted: Tue May 27, 2008 4:15 pm

- rcraig1000
I am looking for the evidence of the last usage of USB drives. I have found the other discussions on the forum regarding this topic. Most of them recommend looking at the devices under System\CurrentControlSet\Enum\USBStor. In my case, the system has a 'USB' key in this registry location but no 'USBStor'. What does this mean? Could the user have deleted it? Or is something else in play?


By default, the USBStor subkey is created not when the OS is installed, but when a USB removable storage device is connected to the system.

Have you checked the appropriate subkey beneath the DeviceClasses key?

- rcraig1000

Why the apparent 'disconnect' between these two pieces of evidence?


I'm not sure that I understand the "apparent 'disconnect'"...what are you referring to? According to msdn.microsoft.com/en-...1086.aspx, The usbstor.inf installation file contains device IDs for those devices that are explicitly supported. So I guess I'm unclear as to how a supported device listed in the usbstor.inf file constitutes (apparently) "evidence" that a device had been connected to the system.

HTH,

h  

keydet89
Senior Member
 
 
  

Re: Missing 'USBStor' Registry key a sign of foul play?

Post Posted: Wed May 28, 2008 4:41 am

- rcraig1000
System\CurrentControlSet\Enum\USBStor

You should make sure you are looking at HKEY LOCAL MACHINE
HKLM\System\CurrentControlSet\Enum\USB
and
HKLM\System\CurrentControlSet\Enum\USBStor

Were you by mistake looking at HKEY CURRENT CONFIG?


In the USB subkey in HKLM there should be USB devices (any type) connected to the machine, while in USBSTOR there should be only USB Mass storage devices.

jaclaz  

jaclaz
Senior Member
 
 
  

Re: Missing 'USBStor' Registry key a sign of foul play?

Post Posted: Wed May 28, 2008 11:28 am

I think my misunderstanding is that 'usbstor.inf' listed devices that had been connected to the PC, not just those that were supported by Windows.

If that is the case, then the evidence would lead me to believe that no USB storage devices have been attached to the PC.

In this case, I have no other evidence that USB devices were used, it was just a suspicion.

I'm examining the system in FTK and using the registry viewer to view the following registry file: '\WINNT\system32\config\SYSTEM'.

Then I navigate to 'ControlSet001', 'Enum'. Where I only see 'USB'. There is also a 'ControlSet002' at the top level, which also lacks the 'USBStor'.

Thanks!  

rcraig1000
Newbie
 
 
  

Re: Missing 'USBStor' Registry key a sign of foul play?

Post Posted: Wed May 28, 2008 12:19 pm

- rcraig1000
I think my misunderstanding is that 'usbstor.inf' listed devices that had been connected to the PC, not just those that were supported by Windows.


The whole issue of USB removable storage device artifacts on Windows systems is covered quite thoroughly in a book entitled, "Windows Forensic Analysis".

- rcraig1000

If that is the case, then the evidence would lead me to believe that no USB storage devices have been attached to the PC.

In this case, I have no other evidence that USB devices were used, it was just a suspicion.


Then I would assume that you verified this by examining the appropriate DeviceClasses subkey.

- rcraig1000

I'm examining the system in FTK and using the registry viewer to view the following registry file: '\WINNT\system32\config\SYSTEM'.

Then I navigate to 'ControlSet001', 'Enum'. Where I only see 'USB'. There is also a 'ControlSet002' at the top level, which also lacks the 'USBStor'.


Within the System hive, check the Select subkey for the ControlSet marked Current...it's much easier.

To make this even easier, grab a copy of RegRipper...
windowsir.blogspot.com...pdate.html  

keydet89
Senior Member
 
 
  

Re: Missing 'USBStor' Registry key a sign of foul play?

Post Posted: Wed May 28, 2008 3:07 pm

That is the interesting part about this. For the System hive, I only see the following:

ControlSet001
ControlSet002
MountedDevices
Select
Setup

I'm missing CurrentControlSet.

And I exported the SYSTEM hive from the case and ran it through RegRipper using the 'System' plugin. The report said it couldn't find the 'USBStor' key and I didn't see anything else of note. Is there something else I should be looking for?

Thanks!  

rcraig1000
Newbie
 
 
  

Re: Missing 'USBStor' Registry key a sign of foul play?

Post Posted: Wed May 28, 2008 3:39 pm

- rcraig1000
That is the interesting part about this. For the System hive, I only see the following:

ControlSet001
ControlSet002
MountedDevices
Select
Setup

I'm missing CurrentControlSet.


That's not interesting at all...it's normal. In the book, Windows Forensic Analysis, the author refers to the CurrentControlSet as a "volatile" hive, in that it only exists on a live system.

This is why I suggested that you look in the Select subkey for the value named "Current"...the data is a number that will tell you which ControlSet...in your case, either 1 or 2...was marked "Current" and appeared on the live system as the "CurrentControlSet" hive.

- rcraig1000

And I exported the SYSTEM hive from the case and ran it through RegRipper using the 'System' plugin. The report said it couldn't find the 'USBStor' key and I didn't see anything else of note. Is there something else I should be looking for?


What were the results of the DeviceClasses plugin?  

keydet89
Senior Member
 
 
Reply to topicReply to topic

Share this forum topic to encourage more replies



Page 1 of 2
Go to page 1, 2  Next