Notifications
Clear all

Missing 'USBStor' Registry key a sign of foul play?

10 Posts
3 Users
0 Likes
4,233 Views
rcraig1000
(@rcraig1000)
Posts: 5
Active Member
Topic starter
 

I am looking for the evidence of the last usage of USB drives. I have found the other discussions on the forum regarding this topic. Most of them recommend looking at the devices under System\CurrentControlSet\Enum\USBStor. In my case, the system has a 'USB' key in this registry location but no 'USBStor'. What does this mean? Could the user have deleted it? Or is something else in play?

The usbstor.inf file shows numerous devices

MSFT="Microsoft"
MfgName="Microsoft"

USB\VID_03EE&PID_0000.DeviceDesc = "Mitsumi USB CD-R/RW Drive"
USB\VID_03EE&PID_6901.DeviceDesc = "Mitsumi USB Floppy"
USB\VID_03F0&PID_0107.DeviceDesc = "HP USB CD-Writer Plus"
USB\VID_0409&PID_002C.DeviceDesc = "NEC Clik!-USB Drive"
USB\VID_04E6&PID_0001.DeviceDesc = "USB ATAPI Storage Device"
USB\VID_04E6&PID_0101.DeviceDesc = "USB ATAPI Storage Device"
USB\VID_057B&PID_0000.DeviceDesc = "Y-E Data USB Floppy"
USB\VID_059B&PID_0001.DeviceDesc = "Iomega USB Zip 100"
USB\VID_059B&PID_0030.DeviceDesc = "Iomega USB Zip 250"
USB\VID_059B&PID_0031.DeviceDesc = "Iomega USB Zip 100"
USB\VID_059F&PID_A601.DeviceDesc = "LaCie USB Hard Drive"
USB\VID_0644&PID_0000.DeviceDesc = "TEAC USB Floppy"
USB\VID_0693&PID_0002.DeviceDesc = "USB SmartMedia Reader/Writer"
USB\VID_0693&PID_0003.DeviceDesc = "USB CompactFlash Reader/Writer"
USB\VID_0718&PID_0002.DeviceDesc = "Imation SuperDisk USB 120MB"
USB\VID_0781&PID_0001.DeviceDesc = "SanDisk USB ImageMate"

Why the apparent 'disconnect' between these two pieces of evidence?

Thanks!

 
Posted : 27/05/2008 7:18 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

I am looking for the evidence of the last usage of USB drives. I have found the other discussions on the forum regarding this topic. Most of them recommend looking at the devices under System\CurrentControlSet\Enum\USBStor. In my case, the system has a 'USB' key in this registry location but no 'USBStor'. What does this mean? Could the user have deleted it? Or is something else in play?

By default, the USBStor subkey is created not when the OS is installed, but when a USB removable storage device is connected to the system.

Have you checked the appropriate subkey beneath the DeviceClasses key?

Why the apparent 'disconnect' between these two pieces of evidence?

I'm not sure that I understand the "apparent 'disconnect'"…what are you referring to? According to http//msdn.microsoft.com/en-us/library/ms791086.aspx, The usbstor.inf installation file contains device IDs for those devices that are explicitly supported. So I guess I'm unclear as to how a supported device listed in the usbstor.inf file constitutes (apparently) "evidence" that a device had been connected to the system.

HTH,

h

 
Posted : 28/05/2008 3:15 am
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

System\CurrentControlSet\Enum\USBStor

You should make sure you are looking at HKEY LOCAL MACHINE
HKLM\System\CurrentControlSet\Enum\USB
and
HKLM\System\CurrentControlSet\Enum\USBStor

Were you by mistake looking at HKEY CURRENT CONFIG?

In the USB subkey in HKLM there should be USB devices (any type) connected to the machine, while in USBSTOR there should be only USB Mass storage devices.

jaclaz

 
Posted : 28/05/2008 3:41 pm
rcraig1000
(@rcraig1000)
Posts: 5
Active Member
Topic starter
 

I think my misunderstanding is that 'usbstor.inf' listed devices that had been connected to the PC, not just those that were supported by Windows.

If that is the case, then the evidence would lead me to believe that no USB storage devices have been attached to the PC.

In this case, I have no other evidence that USB devices were used, it was just a suspicion.

I'm examining the system in FTK and using the registry viewer to view the following registry file '\WINNT\system32\config\SYSTEM'.

Then I navigate to 'ControlSet001', 'Enum'. Where I only see 'USB'. There is also a 'ControlSet002' at the top level, which also lacks the 'USBStor'.

Thanks!

 
Posted : 28/05/2008 10:28 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

I think my misunderstanding is that 'usbstor.inf' listed devices that had been connected to the PC, not just those that were supported by Windows.

The whole issue of USB removable storage device artifacts on Windows systems is covered quite thoroughly in a book entitled, "Windows Forensic Analysis".

If that is the case, then the evidence would lead me to believe that no USB storage devices have been attached to the PC.

In this case, I have no other evidence that USB devices were used, it was just a suspicion.

Then I would assume that you verified this by examining the appropriate DeviceClasses subkey.

I'm examining the system in FTK and using the registry viewer to view the following registry file '\WINNT\system32\config\SYSTEM'.

Then I navigate to 'ControlSet001', 'Enum'. Where I only see 'USB'. There is also a 'ControlSet002' at the top level, which also lacks the 'USBStor'.

Within the System hive, check the Select subkey for the ControlSet marked Current…it's much easier.

To make this even easier, grab a copy of RegRipper…
http//windowsir.blogspot.com/2008/05/regripper-update.html

 
Posted : 28/05/2008 11:19 pm
rcraig1000
(@rcraig1000)
Posts: 5
Active Member
Topic starter
 

That is the interesting part about this. For the System hive, I only see the following

ControlSet001
ControlSet002
MountedDevices
Select
Setup

I'm missing CurrentControlSet.

And I exported the SYSTEM hive from the case and ran it through RegRipper using the 'System' plugin. The report said it couldn't find the 'USBStor' key and I didn't see anything else of note. Is there something else I should be looking for?

Thanks!

 
Posted : 29/05/2008 2:07 am
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

That is the interesting part about this. For the System hive, I only see the following

ControlSet001
ControlSet002
MountedDevices
Select
Setup

I'm missing CurrentControlSet.

That's not interesting at all…it's normal. In the book, Windows Forensic Analysis, the author refers to the CurrentControlSet as a "volatile" hive, in that it only exists on a live system.

This is why I suggested that you look in the Select subkey for the value named "Current"…the data is a number that will tell you which ControlSet…in your case, either 1 or 2…was marked "Current" and appeared on the live system as the "CurrentControlSet" hive.

And I exported the SYSTEM hive from the case and ran it through RegRipper using the 'System' plugin. The report said it couldn't find the 'USBStor' key and I didn't see anything else of note. Is there something else I should be looking for?

What were the results of the DeviceClasses plugin?

 
Posted : 29/05/2008 2:39 am
rcraig1000
(@rcraig1000)
Posts: 5
Active Member
Topic starter
 

Running RegRipper using only the 'devclass' plugin yielded the following

DevClasses - Disks
ControlSet001\Control\DeviceClasses\{53f56307-b6bf-11d0-94f2-00a0c91efb8b}

DevClasses - Volumes
ControlSet001\Control\DeviceClasses\{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

 
Posted : 29/05/2008 7:15 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

okay…that corroborates the fact that no USB removable storage devices have been connected to the system, further explaining the apparent disparity in "evidence" you saw.

 
Posted : 29/05/2008 7:25 pm
rcraig1000
(@rcraig1000)
Posts: 5
Active Member
Topic starter
 

Thanks so much for all your help!

 
Posted : 29/05/2008 7:27 pm
Share: