±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 1 Overall: 35413
New Yesterday: 5 Visitors: 152

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Webinars

VID PID Index? Also Windows Event Log Index?

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
 
  

jamesvogel
Newbie
 

VID PID Index? Also Windows Event Log Index?

Post Posted: Mar 20, 19 08:41

Hello, I am just getting started in digital forensics. I'm operating Magnet Axiom to examine hard drives for a corporation. I routinely find USB devices that have VID and PID numbers listed, but am having trouble identifying the devices. Does anyone know of a centralized index for these codes? If not can you give me some advice or tips on identifying the devices.

On another note, I come across windows event logs frequently and have the same problem. I need to identify what the logs are indicating. Any help is appreciated.  
 
  

AmNe5iA
Senior Member
 

Re: VID PID Index? Also Windows Event Log Index?

Post Posted: Mar 20, 19 08:54

 
  

mcman
Senior Member
 

Re: VID PID Index? Also Windows Event Log Index?

Post Posted: Mar 20, 19 08:56

Depending on your investigation, you probably don't need to worry about every VID/PID that gets listed under USB connections. Most investigations center around USB mass storage devices so I would start focusing there (sorting by Device Class or Friendly Name in AXIOM will prioritize those ones). If you still want to look at other devices, they're there but there will be a lot of things that just use/access the USB drivers that have no investigative value (still worth reviewing as you'll often get MTP devices such as phones being plugged in, etc.).

For event logs, lots of sites will have cheat sheets of forensically significant event IDs (logon/logoff, log cleared, etc...). I usually have a cheat sheet lying around the lab but a quick search should be able to find you something similar.

Hope that helps,
Jamie McQuaid
Magnet Forensics  
 
  

jamesvogel
Newbie
 

Re: VID PID Index? Also Windows Event Log Index?

Post Posted: Mar 20, 19 14:17

Thank you!  
 
  

jaclaz
Senior Member
 

Re: VID PID Index? Also Windows Event Log Index?

Post Posted: Mar 21, 19 03:52

Please also considers two additional points (particularly in case of USB sticks):
1) VID/PIDs may be not accurate[1]
2) VID/PIDs in most cases can be altered/changed

Here:
www.usb.org/developers

You can find a "valid" list:

Valid USB Vendor ID Numbers
Valid USB Vendor ID Number is a list of companies to which USB-IF has assigned each Vendor ID in decimal format. This list is provided as an informational resource. The USB Implementers Forum is the authority which assigns and maintains all USB Vendor ID Numbers. Each number is assigned to one company which has exclusive rights to its use. Unauthorized use of assigned or unassigned USB Vendor ID Numbers is strictly prohibited. This list is updated quarterly.

and the

Invalid VIDs
The VIDs included on this list have been obsoleted and are not valid.


Only for the record, once upon a time the good USB.org guys provided this list in an easy parsabe text format (not entirely unlike the one linked to by AmNe5iA) but it was probably too [email protected] simple for them and now the lists are .pdf.

jaclaz


[1] all in all there are only a bunch of actual USB stick controller makers and a number of actual USB stick makers.
The maker of the controller already has a VID "embedded".
The maker of the actual USB stick may leave it "as is" or change it to an "own" VID.
The PID is "free" so it can be *anything*.
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 
 

Page 1 of 1