±Forensic Focus Partners
±Your Account

![]() |
![]() |
![]() |
![]() |
±Latest Articles
±Latest Videos
±Latest Jobs
Back to top
Skip to content
Skip to menu
Back to top
Back to main
Skip to menu
Yep. Though as said it seems like there are differences between XP, Vista and 7 (and 8).
Cannot say how neat it could be a plain: MTP=WPD though.
The same device may be seen as Windows Portable Device and accessed through MTP/PTP or seen as Mass Storage and accessed through MSC, I posted the link to Creative site:
support.creative.com/k...?sid=83635
that seems to imply this.
If I get it right any device using MTP is part of WPD, but not all WPD devices use MTP (they could be a camera or whatever and use PTP instead).
Also I seem to understand that at least on 7 or 8 "normal" USB sticks are seen in Explorer as "Portable Device", and as well MTP devices, with a simple Registry Edit, can:
www.ehow.com/how_67591...lorer.html
Particularly this:
blogs.technet.com/b/ju...orage.aspx
seems like a set of nice xperiments
Also:
msdn.microsoft.com/en-...s.portable
jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. -
What, exactly, is an MTP device?
en.wikipedia.org/wiki/...r_Protocol
jaclaz has pointed at some good reference material for this above.
For whta it is worth this is my understanding of it and why it's important. Media Transfer Protocol or Picture Transfer Protocol tends to be used in preference to MSC when digital rights management is an issue. When a USB device's primary function is to hold/synchronise data that may be subject to DRM, device manufacturers often select these protocols. They are more restrictive for data transfer and typically operate with proprietary software to allow synchronization or up/downloads of files. From what I understand iOS, some Android devices and several camera manufacturers use MTP/PTP. I am using the phrase MTP device to describe a device that transfers data primarily over MTP.
I think this area appears to require further research for example to track the traces left by these type of devices and possibly correlate any registry artefacts with logs. Questions like “are the files tracked by signature or just name type?” come to my mind. I think you will understand where I’m going with this.
Pitfalls of Interpreting Forensic Artifacts in the Registry
Page Previous 1, 2, 3, 4, 5, 6, 7, 8 Next-
jaclaz - Senior Member
Re: Pitfalls of Interpreting Forensic Artifacts in the Regis
The more I look into this, the more it seems to me a horror story.
However someone
has seemingly written a RegRipper plugin (to get at least drive letters):
windowsir.blogspot.it/...vista.html
Some more bits and pieces:
www.blackviper.com/win...r-service/
www.mobiletechworld.co...usb-drive/
support.creative.com/k...?sid=83635
www.irongeek.com/i.php...sb-devices
This might also be of use (maybe):
opensource.creative.co..._enum.html
jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. -

However someone

windowsir.blogspot.it/...vista.html
Some more bits and pieces:
www.blackviper.com/win...r-service/
www.mobiletechworld.co...usb-drive/
support.creative.com/k...?sid=83635
www.irongeek.com/i.php...sb-devices
This might also be of use (maybe):
opensource.creative.co..._enum.html
jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. -
-
keydet89 - Senior Member
Re: Pitfalls of Interpreting Forensic Artifacts in the Registry
jaclaz,
So you're saying that this MTP stuff you're talking about is synonymous with the Windows Portable Devices?
So you're saying that this MTP stuff you're talking about is synonymous with the Windows Portable Devices?
-
jaclaz - Senior Member
Re: Pitfalls of Interpreting Forensic Artifacts in the Registry
- keydet89jaclaz,
So you're saying that this MTP stuff you're talking about is synonymous with the Windows Portable Devices?
Yep. Though as said it seems like there are differences between XP, Vista and 7 (and 8).
Cannot say how neat it could be a plain: MTP=WPD though.
The same device may be seen as Windows Portable Device and accessed through MTP/PTP or seen as Mass Storage and accessed through MSC, I posted the link to Creative site:
support.creative.com/k...?sid=83635
that seems to imply this.
If I get it right any device using MTP is part of WPD, but not all WPD devices use MTP (they could be a camera or whatever and use PTP instead).
Also I seem to understand that at least on 7 or 8 "normal" USB sticks are seen in Explorer as "Portable Device", and as well MTP devices, with a simple Registry Edit, can:
www.ehow.com/how_67591...lorer.html
Particularly this:
blogs.technet.com/b/ju...orage.aspx
seems like a set of nice xperiments
Also:
msdn.microsoft.com/en-...s.portable
jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. -
-
JackyFox - Member
Re: Pitfalls of Interpreting Forensic Artifacts in the Regis
I wish I had the time to do some experiments with this at the moment. I think it would make a really good study to take some hives/logs from "fresh" installs and then connect up a range of MTP devices, attempt to transfer data by various means and see what traces are recorded.
-
keydet89 - Senior Member
Re: Pitfalls of Interpreting Forensic Artifacts in the Regis
- JackyFox...connect up a range of MTP devices...
What, exactly, is an MTP device?
-
hmorgan - Senior Member
Re: Pitfalls of Interpreting Forensic Artifacts in the Regis
- keydet89- JackyFox...connect up a range of MTP devices...
What, exactly, is an MTP device?
en.wikipedia.org/wiki/...r_Protocol
-
JackyFox - Member
Re: Pitfalls of Interpreting Forensic Artifacts in the Regis
- keydet89What, exactly, is an MTP device?
jaclaz has pointed at some good reference material for this above.
For whta it is worth this is my understanding of it and why it's important. Media Transfer Protocol or Picture Transfer Protocol tends to be used in preference to MSC when digital rights management is an issue. When a USB device's primary function is to hold/synchronise data that may be subject to DRM, device manufacturers often select these protocols. They are more restrictive for data transfer and typically operate with proprietary software to allow synchronization or up/downloads of files. From what I understand iOS, some Android devices and several camera manufacturers use MTP/PTP. I am using the phrase MTP device to describe a device that transfers data primarily over MTP.
I think this area appears to require further research for example to track the traces left by these type of devices and possibly correlate any registry artefacts with logs. Questions like “are the files tracked by signature or just name type?” come to my mind. I think you will understand where I’m going with this.