Last Written on Mou...
 
Notifications
Clear all

Last Written on MountPoints2

10 Posts
3 Users
0 Likes
2,016 Views
jblakley
(@jblakley)
Posts: 110
Estimable Member
Topic starter
 

Is the Last Written time under mountpoints2 still a reliable way to absolutely know the usb devices connected to a computer for that particular user? Is there something even more reliable than that? I have regripper showing me differences between mountpoints2 and mounteddevices. One of those differences is the fact that two drives had the same drive letter, but for some reason regripper is saying that the EARLIER time had the F\ designation, but not the later. When I try to correlate what's in mountpoints2, it shows me that a different drive probably had the F\ designation. I also have volume IDs listed under MP2 that aren't listed in regripper.

 
Posted : 05/10/2017 4:29 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

Try getting a "second opinion"
https://github.com/woanware/usbdeviceforensics

And possibly a third one
http//sysforensics.org/2015/03/python-registry-parser/
https://github.com/sysforensics/python-regparse/

jaclaz

 
Posted : 05/10/2017 7:52 pm
jblakley
(@jblakley)
Posts: 110
Estimable Member
Topic starter
 

Try getting a "second opinion"
https://github.com/woanware/usbdeviceforensics

And possibly a third one
http//sysforensics.org/2015/03/python-registry-parser/
https://github.com/sysforensics/python-regparse/

jaclaz

Thank you jaclaz!

 
Posted : 05/10/2017 8:29 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

Is the Last Written time under mountpoints2 still a reliable way to absolutely know the usb devices connected to a computer for that particular user?

Which version of Windows are you examining? It's somewhat important.

Is there something even more reliable than that?

Depends on the version of Windows.

I have regripper showing me differences between mountpoints2 and mounteddevices. One of those differences is the fact that two drives had the same drive letter, but for some reason regripper is saying that the EARLIER time had the F\ designation, but not the later. When I try to correlate what's in mountpoints2, it shows me that a different drive probably had the F\ designation.

What do the Windows Portable Devices and EMDMgmt keys show?

I also have volume IDs listed under MP2 that aren't listed in regripper.

Okay, I'm not sure I follow this one…can you elaborate? Is this something that you feel needs to be addressed/fixed?

 
Posted : 07/10/2017 11:40 am
jblakley
(@jblakley)
Posts: 110
Estimable Member
Topic starter
 

Which version of Windows are you examining? It's somewhat important.

It's Windows 7

I have regripper showing me differences between mountpoints2 and mounteddevices. One of those differences is the fact that two drives had the same drive letter, but for some reason regripper is saying that the EARLIER time had the F\ designation, but not the later. When I try to correlate what's in mountpoints2, it shows me that a different drive probably had the F\ designation.

What do the Windows Portable Devices and EMDMgmt keys show?

I also have volume IDs listed under MP2 that aren't listed in regripper.

Okay, I'm not sure I follow this one…can you elaborate? Is this something that you feel needs to be addressed/fixed?

I misspoke with this one. What I found is under MountedDevices with the mountdev2 plugin, and I'm not sure how to explain it. I can only assume the E\ is listed because nothing has used it since 9/6. D and F have been used numerous times


Volume Disk Sig Offset
------- -------- --------
\??\Volume{0fea365c-78a2-11e4-82b7-00a0c6000012} 30 73 55 7d 0
\??\Volume{17d0b573-827e-11e4-bb62-8019346de8ee} a4 b5 73 00 0
\??\Volume{17d0b5ca-827e-11e4-bb62-8019346de8ee} 4e 15 7f fc 0
\??\Volume{338de6c2-9b9f-11e4-b227-8019346de8ee} 27 2e 0a c5 0
\??\Volume{5371ac20-7a2e-11e4-9e9f-8019346de8ee} 7f 29 e3 19 0
\??\Volume{5ab2d5ab-063e-11e6-bd43-8019346de8ee} 1e ff 3c a3 0
\??\Volume{c0db46b1-1112-11e7-9aa8-8019346de8ee} fc a0 64 18 0
\??\Volume{ddd55bc2-6913-11e4-a4df-806e6f6e6963} 66 bf 92 34 0
\DosDevices\C 66 bf 92 34 0
\DosDevices\D 27 2e 0a c5 0
\DosDevices\E 7f 29 e3 19 0
\DosDevices\F 1e ff 3c a3 0

I'm assuming to read this, all that would need to be done is to correlate the disk signature with the disk signature associated to the volume. For example

Last known mounted D\ volume disk signature is 27 3e 0a c5, so the volume according to this output should be 338de6c2-9b9f-11e4-b227-8019346de8ee.

EMDMgmt is empty, an Windows Portable Devices does have the drives listed, but only with the drive letter and not the volume. All of them in Windows Portable Devices are D and F with the exception of one E\.


MountedDevices
LastWrite time = Sun Sep 17 170222 2017Z

\DosDevices\F
Drive Signature = 1e ff 3c a3
\??\Volume{5ab2d5ab-063e-11e6-bd43-8019346de8ee}
Drive Signature = 1e ff 3c a3
\??\Volume{c0db46b1-1112-11e7-9aa8-8019346de8ee}
Drive Signature = fc a0 64 18

One particular question I had about how to read RegRipper was the \DosDevices listed. Do the two volumes below \DosDevices\F have any historical significance with relation to these being once associated to the F\ drive letter designation? I'm assuming that it's not parsed in order like that, and it's better to correlate the drive signature. I have one volume that I haven't been able to associate to a drive letter, and there were no lnk files associated to that particular device.

I've been working off of the last written timestamp of the mountpoints2 key to determine the last devices connected and then used RegRipper to correlate those volumes to drive letters.

Thank you Harlan for the response!

 
Posted : 07/10/2017 4:35 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

@jblakely

I would make the list/pairing as follows

{ddd55bc2-6913-11e4-a4df-806e6f6e6963} 66 bf 92 34 \DosDevices\C time 2014-11-10 195757.500000.2 UTC
{0fea365c-78a2-11e4-82b7-00a0c6000012} 30 73 55 7d time 2014-11-30 150337.500015.6 UTC
{5371ac20-7a2e-11e4-9e9f-8019346de8ee} 7f 29 e3 19 \DosDevices\E time 2014-12-02 142011.500035.2 UTC
{17d0b573-827e-11e4-bb62-8019346de8ee} a4 b5 73 00 time 2014-12-13 041120.500158.7 UTC
{17d0b5ca-827e-11e4-bb62-8019346de8ee} 4e 15 7f fc time 2014-12-13 041120.500167.4 UTC
{338de6c2-9b9f-11e4-b227-8019346de8ee} 27 2e 0a c5 \DosDevices\D time 2015-01-14 034119.500051.4 UTC
{5ab2d5ab-063e-11e6-bd43-8019346de8ee} 1e ff 3c a3 \DosDevices\F time 2016-04-19 145236.078737.1 UTC
{c0db46b1-1112-11e7-9aa8-8019346de8ee} fc a0 64 18 time 2017-03-25 042310.076894.5 UTC

Which you may compare with the date/times of the actual corresponding Registry keys.

Now tentatively (pure hypothesis from the data you posted)
The system has been installed on 2014-11-10 on disk 66 bf 92 34, drive C (this can be compared also with setupapi.log date/time)
On 2014-11-30 a device was connected 30 73 55 7d and got drive letter D (later overwritten)
On 2014-12-02 a device was connected 7f 29 e3 19 and got drive letter E, this could be a USB hard disk? (or however seemingly it wasn't removed)
On 2014-12-13 *something strange* happened, two different devices were connected within a "too narrow" timeframe, maybe an hiccup of the system or a defective USB device?
On 2015-01-14 a device was connected 27 2e 0a c5 and got drive letter D (overwriting the previous assignment)
On 2016-04-19 a device was connected 1e ff 3c a3 and got drive letter F (implying that at the time both D and E were assigned).
On 2017-03-25 a device was connected fc a0 64 18 and got either D, E or F drive letter (because one of the devices that historically had those drive letters were removed)
Any time after the removal of this latter device the device that was preciously removed (more probably D or F) has been reconnected and got back the available drive letter.

This is assuming that this is a "plain install", with no "strange" things done to it (like re-initializing a same device or changing disk signatures, etc.), the times are a bit "queer" (many are in the early hours of the morning) for an "office" PC, if its viceversa a "home" machine, they are more plausible.

BTW are those "offsets" really-really 0? 😯

jaclaz

 
Posted : 07/10/2017 7:22 pm
jblakley
(@jblakley)
Posts: 110
Estimable Member
Topic starter
 

BTW are those "offsets" really-really 0? 😯

jaclaz

Yeah, they show up as 0 for all volumes. May be a stupid question, but what should I be seeing for the offset? Is that the offset for where the volume should start on the device? I noticed under USBSTOR that the volume reported (from my experience) is 2 bytes incremented from the partmgr volume guid.

So, aa21ce under partmgr would show up as volume aa21d0-<something>. I haven't been able to find documentation on this anywhere, but I noticed it during this investigation. It was consistent across all drives.

Thanks jaclaz D

 
Posted : 07/10/2017 9:17 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

BTW are those "offsets" really-really 0? 😯

jaclaz

Yeah, they show up as 0 for all volumes. May be a stupid question, but what should I be seeing for the offset? Is that the offset for where the volume should start on the device? I noticed under USBSTOR that the volume reported (from my experience) is 2 bytes incremented from the partmgr volume guid.

So, aa21ce under partmgr would show up as volume aa21d0-&lt;something&gt;. I haven't been able to find documentation on this anywhere, but I noticed it during this investigation. It was consistent across all drives.

Thanks jaclaz D

Forget for one moment RegRipper or *any other* tool.

Open the Registry with *any registry editor/viewer.
The value of (example)
HKEY_LOCAL_MACHINE\SYSTEM\MountedDevices\DosDevices\C
Will be in the form
<DISK SIGNATURE (4 bytes)> <OFFSET TO PBR (8 bytes) in bytes>
Typical (default) value for XP and earlier (to first partition)
00 7E 00 00 00 00 00 00 -> 0x0000000000007E00->32256->63*512
Typical (default) value on Vista and later (to first partition)
00 00 10 00 00 00 00 00 ->0x0000000000100000->1048576=2048*512

The above applies to volumes on partitioned media (additionally "fixed" devices such as hard disks).
Non partitioned devices, such as (normally) USB sticks (that are anyway usually of the "removable" type) will be identified by a looong string beginning with 5C 00 3F 00 3F 00, something *like* (example of one of my sticks on XP getting drive letter F )

\??\Volume{7310046d-9614-11e7-b0b5-001fc6bb76ce} ->
\??\STORAGE#RemovableMedia#7&38fa3d01&1&RM#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

\DosDevices\F ->
\??\STORAGE#RemovableMedia#7&38fa3d01&1&RM#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Example of a fixed (USB) disk (taking drive letter F as well, only first partition)
\??\Volume{24430943-2a07-11e5-b0a1-001fc6bb76ce} ->
78 56 34 12 00 7E 00 00 00 00 00 00

\DosDevices\F ->
78 56 34 12 00 7E 00 00 00 00 00 00

In other words, if there is a Disk Signature, then the device is "fixed" and there must be also a non-0 offset to the volume(s) (there might be a few exceptions on specially crafted devices with first absolute sector being at the same time a MBR and a bootsector, but they are extremely rare, as well there are filter drivers like diskmod.sys that may change the behaviour/device type but they are even more scarce).

The aa21ce vs aa21d0 is I believe what we already saw here ?
https://www.forensicfocus.com/Forums/viewtopic/p=6590719/#6590719

jaclaz

 
Posted : 08/10/2017 10:07 am
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

It's Windows 7

Ah, that's good to know.

Asking the question is/was important, as it affects what you can/should be looking at. As recently as July of this year, I know analysts that have been dealing with XP and Win2003 systems.

One particular question I had about how to read RegRipper was the \DosDevices listed. Do the two volumes below \DosDevices\F have any historical significance with relation to these being once associated to the F\ drive letter designation?

No, the key is not an "MRU" key. RegRipper has nothing to do with it…if you look at the key contents in any viewer, you'll see something similar with respect to the "order".

…there were no lnk files associated to that particular device.

Okay. I guess that just means that the user didn't access anything from the volume.

With respect to LNK files, did you also check the JumpLists?

I've been working off of the last written timestamp of the mountpoints2 key to determine the last devices connected…

How about the Windows Event Logs? I'm sure those would help, as well. I find it useful to use the *.evtx file in question, along with maybe the Security Event Log, as well as the Registry hives and file system metadata, and create a mini-timeline. It's pretty fascinating to see all of the artifacts together, rather than looking at them individually.

 
Posted : 09/10/2017 10:41 am
jblakley
(@jblakley)
Posts: 110
Estimable Member
Topic starter
 

With respect to LNK files, did you also check the JumpLists?

Yes, I didn't see anything interesting with respects to jumplists either.

How about the Windows Event Logs? I'm sure those would help, as well. I find it useful to use the *.evtx file in question, along with maybe the Security Event Log, as well as the Registry hives and file system metadata, and create a mini-timeline. It's pretty fascinating to see all of the artifacts together, rather than looking at them individually.

I did. The interesting thing for the dates that I found in question was only one drive was logged from UserPNP as being installed, and that correlated with an entry in setupapi.dev.log. The other drives had no entries. A couple of things that I did notice were errors with regard to \Device\Harddisk4, but since this was an offline images, I was unable to correlate that with a device map since the hardware key is dynamic. I couldn't find anywhere else in the registry to tie that mapping to a device id.

Thanks!

 
Posted : 09/10/2017 1:56 pm
Share: