USB Forensic Analys...
 
Notifications
Clear all

USB Forensic Analysis

5 Posts
5 Users
0 Likes
830 Views
(@harshbehl)
Posts: 67
Trusted Member
Topic starter
 

Hi All

I have a USB (Transcend 64GB) and i would like to know that to which devices/computers this USB has been connected?

Any help will be highly appreciated.

 
Posted : 08/03/2017 12:23 pm
Chris_Ed
(@chris_ed)
Posts: 314
Reputable Member
 

Hi harshbehl,

Which filesystem is it formatted with? If it's FAT32 I'm not sure if you'll have much luck. If it's NTFS you might be able to find unique SIDs in the Recycle Bin, or in the owner attribute of the files present.

 
Posted : 08/03/2017 1:43 pm
JimC
 JimC
(@jimc)
Posts: 86
Estimable Member
 

1. If the file system is FAT you can check the VBR (first sector) to see if it refers to NTLDR (Windows XP and before), BOOTMGR (Windows Vista and later) or IO.SYS (Windows 9x and DOS). This may help identify which OS formatted the file system.

2. If FAT, the volume serial number may give you an idea when the volume was formatted. Craig Wilson has written a paper on this here http//www.digital-detective.net/documents/Volume%20Serial%20Numbers.pdf

3. If the file system is NTFS you can perform the above check but also check the $Volume file for the $VOLUME_INFOMATION attribute. This will reflect the most recent (NT based) OS to mount the file system. Typically this will be v3.1 for Windows XP and later.

4. If the file system is NTFS you can also check the SIDs associated with files. This may provide a conclusive link back to a specific system (if you have one in mind).

5. Similarly, if the volume contains Windows shortcut files this may contain artefacts linking back to the original system (by name) and ObjectID attributes linking back to the volume files were "born" on.

Harry Parsonage has written about this here http//computerforensics.parsonage.co.uk/downloads/themeaningoflife.pdf

Paul Sanderson has written about this here
http//sandersonforensics.com/forum/content.php?129-LinkAlyzer-has-this-file-been-moved

Please remember it is also possible the device was formatted by the manufacturer. This may skew the results above.

Hope this helps.

Jim
www.binarymarkup.com

 
Posted : 08/03/2017 3:30 pm
(@bntrotter)
Posts: 63
Trusted Member
 

Do you have any suspected machines?'

You can search for SIDs, geo metadata, images, Office Documents, file with credential metadata.

 
Posted : 09/03/2017 7:43 pm
Thomas
(@thomas)
Posts: 59
Trusted Member
 

Windows writes the instance id of used usb sticks to the registry.
To find the serial number of your own stick you can use usbdeview http//www.nirsoft.net/utils/usb_devices_view.html. Copy the "Instance ID" from your stick. (example USB\VID_0951&PID_16A3\1C6F654CED39BE91A95F0123)

Usbdeview is portable and also shows the complete history of used usb devices, so you can take it to other pc's to check if your stick is used there.

If the stick is lost of stolen in a large corporation, and you want to know if somebody has used it, you can do a network scan with Softperfect Networkscanner https://www.softperfect.com/products/networkscanner/
This scanner is shareware, but note that this scanner was free until version 6.2.1, so if you can get this version you should be fine.
In Options –> Remote registry you can put the instance id and scan the whole network (you need admin rights to do this).

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USB\VID_0951&PID_16A3\1C6F654CED39BE91A95F0123

Remember that registry keys can be deleted, but is exceptional…
I have had success with this method! Good luck!

 
Posted : 10/03/2017 2:15 am
Share: