VID PID Index? Also...
 
Notifications
Clear all

VID PID Index? Also Windows Event Log Index?

5 Posts
4 Users
0 Likes
1,040 Views
(@kossuth)
Posts: 22
Eminent Member
Topic starter
 

Hello, I am just getting started in digital forensics. I'm operating Magnet Axiom to examine hard drives for a corporation. I routinely find USB devices that have VID and PID numbers listed, but am having trouble identifying the devices. Does anyone know of a centralized index for these codes? If not can you give me some advice or tips on identifying the devices.

On another note, I come across windows event logs frequently and have the same problem. I need to identify what the logs are indicating. Any help is appreciated.

 
Posted : 20/03/2019 1:41 pm
AmNe5iA
(@amne5ia)
Posts: 173
Estimable Member
 

http//www.linux-usb.org/usb.ids

 
Posted : 20/03/2019 1:54 pm
(@mcman)
Posts: 189
Estimable Member
 

Depending on your investigation, you probably don't need to worry about every VID/PID that gets listed under USB connections. Most investigations center around USB mass storage devices so I would start focusing there (sorting by Device Class or Friendly Name in AXIOM will prioritize those ones). If you still want to look at other devices, they're there but there will be a lot of things that just use/access the USB drivers that have no investigative value (still worth reviewing as you'll often get MTP devices such as phones being plugged in, etc.).

For event logs, lots of sites will have cheat sheets of forensically significant event IDs (logon/logoff, log cleared, etc…). I usually have a cheat sheet lying around the lab but a quick search should be able to find you something similar.

Hope that helps,
Jamie McQuaid
Magnet Forensics

 
Posted : 20/03/2019 1:56 pm
(@kossuth)
Posts: 22
Eminent Member
Topic starter
 

Thank you!

 
Posted : 20/03/2019 7:17 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

Please also considers two additional points (particularly in case of USB sticks)
1) VID/PIDs may be not accurate[1]
2) VID/PIDs in most cases can be altered/changed

Here
https://www.usb.org/developers

You can find a "valid" list

Valid USB Vendor ID Numbers
Valid USB Vendor ID Number is a list of companies to which USB-IF has assigned each Vendor ID in decimal format. This list is provided as an informational resource. The USB Implementers Forum is the authority which assigns and maintains all USB Vendor ID Numbers. Each number is assigned to one company which has exclusive rights to its use. Unauthorized use of assigned or unassigned USB Vendor ID Numbers is strictly prohibited. This list is updated quarterly.

and the

Invalid VIDs
The VIDs included on this list have been obsoleted and are not valid.

Only for the record, once upon a time the good USB.org guys provided this list in an easy parsabe text format (not entirely unlike the one linked to by AmNe5iA) but it was probably too d@mn simple for them and now the lists are .pdf.

jaclaz

[1] all in all there are only a bunch of actual USB stick controller makers and a number of actual USB stick makers.
The maker of the controller already has a VID "embedded".
The maker of the actual USB stick may leave it "as is" or change it to an "own" VID.
The PID is "free" so it can be *anything*.

 
Posted : 21/03/2019 8:52 am
Share: