USB sticks / Regist...
 
Notifications
Clear all

USB sticks / Registry

8 Posts
5 Users
0 Likes
619 Views
(@djc162)
Posts: 2
New Member
Topic starter
 

Howdy,
I am new here. Hope I didn't miss a post on this topic already.

Keep in mind I am not allowed to use unauthorized software on the network.
I have been asked to find out if a specific user has used a specific USB stick on specific workstation in another location.

All the google searches keep coming back to is "use X tool" (which I can't use on the network)

On My own workstation. So far I have reviewed the USBSTOR and found a list of sticks. But I can't tag it to a specific user that I can tell. I tried running the "containerID" through the registry search, no luck.

I do have access to encase and Nuix offline. Nuix is more of a file search tool at this point.

The only thing I can think of would be to extract the registry and take it to an offline workstation and doing an examination that way. I guess can I remotely extract the registry form another workstation?

Is there a way using the tools within Win7 to do this without using a DL'd tool?

 
Posted : 29/06/2016 4:00 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

And are you really-really sure that the "X tool" can actually "tag use of a stick to an user"? ?

Can you post the name of the "X tool"? (even if you cannot use it it might be good to know its name and verifying its capabilities?

IMHO it is the question that makes little sense

I have been asked to find out if a specific user has used a specific USB stick on specific workstation in another location.

maybe the actual question is slightly different, as you posted it, it has no answer, no matter the tool(s) involved.

The OS doesn't log use of a USB stick by user at all.

You can - maybe - find when exactly a specific stick has been connected to the computer (for the first time) and/or find other date/time file access artifacts that may be coupled with a given user login session.

But all this has a lot more to do with a complete timeline of the system than with the "tag use of a stick to an user".

jaclaz

 
Posted : 29/06/2016 5:35 pm
(@djc162)
Posts: 2
New Member
Topic starter
 

I am pretty sure that EnCase can pin down who used a USB stick. I said "X tool" before I wasn't 100% what else, I was somewhat sure that FTK would. I have seen some other tools when I Googled the subject.

But it still comes down to I can't use unauthorized software on a Networked machine. The investigators want to be able to tag a stick to a specific user.

 
Posted : 29/06/2016 6:05 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

I am pretty sure that EnCase can pin down who used a USB stick.

Well, IF Encase can do it, since you have it, use it (or is it unauthorized on that machine?)
If it is you take the disk image or clone to the nonnetworked (but authorized) machine and verify that it can actually "pin down who used the USB stick" (it doubt it will, but if you are sure about it is 100 times better to use a tool that you are familiar with than any other tool).

I said "X tool" before I wasn't 100% what else, I was somewhat sure that FTK would. I have seen some other tools when I Googled the subject.

Sure, but one thing are google results, another is what the software firm marketing writes and yet another thing is actual specific capabilities of a software.
AFAIK there is NO software on earth (except maybe in NSA and other three or more letter government agencies) that can "pin down who used a USB stick".

But it still comes down to I can't use unauthorized software on a Networked machine.

Yep, but again you should have a forensic sound image of the disk that you can then analyze on *any* machine, what is the problem?

The investigators want to be able to tag a stick to a specific user.

Sure, and possibly they also want to have a video recording of him/her accessing the machine, but what they want may not be what can be done.

That data is NOT LOGGED "directly" by the OS.
There are no shortcuts (when compared to a full timeline and registry and logs extraction).
With a full timeline there may (or there may be not) evidence enough to tie an user to a specific USB device, and even then from "user" and "who used" there is a further leap.

jaclaz

 
Posted : 29/06/2016 6:49 pm
(@vootz)
Posts: 27
Eminent Member
 

You MAY find this information in the particular user's NTUSER.DAT Mountpoint2 key - it shows if a user was logged in/active when a USB device was connected; but this doesn't happen all the time and the device may have been connected by multiple users.

NTUSER.DAT - Software\MIcrosoft\Windows\CurrentVersion\Explorer\MountPoints2 - lists device GUIDs which that user connected

 
Posted : 29/06/2016 7:01 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

You MAY find this information in the particular user's NTUSER.DAT Mountpoint2 key - it shows if a user was logged in/active when a USB device was connected; but this doesn't happen all the time and the device may have been connected by multiple users.

NTUSER.DAT - Software\MIcrosoft\Windows\CurrentVersion\Explorer\MountPoints2 - lists device GUIDs which that user connected

Yep, a "full set" of instructions is here
http//www.windowsecurity.com/articles-tutorials/authentication_and_encryption/Extracting-USB-Artifacts-from-Windows-7.html

jaclaz

 
Posted : 29/06/2016 8:21 pm
passcodeunlock
(@passcodeunlock)
Posts: 792
Prominent Member
 

If the specific user also did run something from this USB stick, an approach would be to try to nail that down in the registry entries, because then you would have user related information as well.

In the past I used NirSoft RegScanner and RegFromApp to analyze registry modifications.

 
Posted : 02/07/2016 3:36 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

Keep in mind I am not allowed to use unauthorized software on the network.

…and…

I have been asked to find out if a specific user has used a specific USB stick on specific workstation in another location.

Okay, so, a couple of questions…

First, what OS are you using? Then, what OS is the remote system? When I ask about the OS, I'm not looking for "Windows", but instead, "Windows XP" or "Windows 7"; essentially, the version of Windows.

Now, what constitutes "unauthorized software"? I ask because you likely have all of the tools you need already on your system, assuming that both are Windows 7.

For example, you can use something like wevtutil.exe to export various Windows Event Logs from the remote system in a searchable format, and get the information you're looking for. You can then use something like RegEdit or reg.exe to access the Registry on the remote system and obtain further information to verify the use of the USB device.

 
Posted : 03/07/2016 6:32 pm
Share: