±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 36125
New Yesterday: 1 Visitors: 197

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

Pitfalls of Interpreting Forensic Artifacts in the Registry

Discussions related to Forensic Focus webinars. Please use the appropriate topic for each webinar.
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Page Previous  1, 2, 3, 4, 5, 6, 7, 8  Next 
  

jaclaz
Senior Member
 

Re: Pitfalls of Interpreting Forensic Artifacts in the Regis

Post Posted: Nov 15, 12 15:38

The more I look into this, the more it seems to me a horror story. Shocked

However someone Wink has seemingly written a RegRipper plugin (to get at least drive letters):
windowsir.blogspot.it/...vista.html

Some more bits and pieces:
www.blackviper.com/win...r-service/
www.mobiletechworld.co...usb-drive/
support.creative.com/k...?sid=83635
www.irongeek.com/i.php...sb-devices

This might also be of use (maybe):
opensource.creative.co..._enum.html

jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 
 
  

keydet89
Senior Member
 

Re: Pitfalls of Interpreting Forensic Artifacts in the Registry

Post Posted: Nov 15, 12 18:21

jaclaz,

So you're saying that this MTP stuff you're talking about is synonymous with the Windows Portable Devices?  
 
  

jaclaz
Senior Member
 

Re: Pitfalls of Interpreting Forensic Artifacts in the Registry

Post Posted: Nov 15, 12 19:41

- keydet89
jaclaz,

So you're saying that this MTP stuff you're talking about is synonymous with the Windows Portable Devices?

Yep. Though as said it seems like there are differences between XP, Vista and 7 (and 8).

Cannot say how neat it could be a plain: MTP=WPD though.

The same device may be seen as Windows Portable Device and accessed through MTP/PTP or seen as Mass Storage and accessed through MSC, I posted the link to Creative site:
support.creative.com/k...?sid=83635
that seems to imply this.

If I get it right any device using MTP is part of WPD, but not all WPD devices use MTP (they could be a camera or whatever and use PTP instead).

Also I seem to understand that at least on 7 or 8 "normal" USB sticks are seen in Explorer as "Portable Device", and as well MTP devices, with a simple Registry Edit, can:
www.ehow.com/how_67591...lorer.html
Particularly this:
blogs.technet.com/b/ju...orage.aspx
seems like a set of nice xperiments

Also:
msdn.microsoft.com/en-...s.portable


jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 
 
  

JackyFox
Member
 

Re: Pitfalls of Interpreting Forensic Artifacts in the Regis

Post Posted: Nov 16, 12 03:38

I wish I had the time to do some experiments with this at the moment. I think it would make a really good study to take some hives/logs from "fresh" installs and then connect up a range of MTP devices, attempt to transfer data by various means and see what traces are recorded.  
 
  

keydet89
Senior Member
 

Re: Pitfalls of Interpreting Forensic Artifacts in the Regis

Post Posted: Nov 16, 12 05:10

- JackyFox
...connect up a range of MTP devices...


What, exactly, is an MTP device?  
 
  

hmorgan
Senior Member
 

Re: Pitfalls of Interpreting Forensic Artifacts in the Regis

Post Posted: Nov 16, 12 15:15

- keydet89
- JackyFox
...connect up a range of MTP devices...


What, exactly, is an MTP device?


en.wikipedia.org/wiki/...r_Protocol  
 
  

JackyFox
Member
 

Re: Pitfalls of Interpreting Forensic Artifacts in the Regis

Post Posted: Nov 16, 12 19:08

- keydet89
What, exactly, is an MTP device?


jaclaz has pointed at some good reference material for this above.

For whta it is worth this is my understanding of it and why it's important. Media Transfer Protocol or Picture Transfer Protocol tends to be used in preference to MSC when digital rights management is an issue. When a USB device's primary function is to hold/synchronise data that may be subject to DRM, device manufacturers often select these protocols. They are more restrictive for data transfer and typically operate with proprietary software to allow synchronization or up/downloads of files. From what I understand iOS, some Android devices and several camera manufacturers use MTP/PTP. I am using the phrase MTP device to describe a device that transfers data primarily over MTP.

I think this area appears to require further research for example to track the traces left by these type of devices and possibly correlate any registry artefacts with logs. Questions like “are the files tracked by signature or just name type?” come to my mind. I think you will understand where I’m going with this.  
 

Page 7 of 8
Page Previous  1, 2, 3, 4, 5, 6, 7, 8  Next