Notifications
Clear all

Track USB activity

40 Posts
13 Users
0 Likes
3,437 Views
(@digitalcoroner)
Posts: 46
Eminent Member
Topic starter
 

I'm working on a case where I have to determine if the user uploaded or downloaded anything to a USB device. I've located all the entries out of the registry and logs that show that USB was connected (i've timestamp, pid, vid, serial number), however how do I determine if the user saved or uploaded anything to/from the device?

Thanks.

 
Posted : 02/07/2012 5:34 pm
flamerescue150
(@flamerescue150)
Posts: 23
Eminent Member
 

One thing you could check would be lnk files to see if any files were opened from the drive letter assigned to the usb device around the time it was connected. That doesn't give you every piece of the puzzle but it might be a place to start.

 
Posted : 02/07/2012 6:15 pm
(@digitalcoroner)
Posts: 46
Eminent Member
Topic starter
 

That's a good idea. Which lnk files would you recommend looking at?

 
Posted : 02/07/2012 7:45 pm
PaulSanderson
(@paulsanderson)
Posts: 651
Honorable Member
 

As it sound slike you are on a bit of a fishing expedition you could try using LinkAlyzer and look at all of the link files.

www.sandersonforensics.com/linkalyzer.html

You can load all of the link files from an image (and carve for deleted ones) and then filter, if you wish, to show just those link files that pertain to removable storage.

There is a limited functionality demo at the above link.

Paul

 
Posted : 02/07/2012 7:53 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

That's a good idea. Which lnk files would you recommend looking at?

One of the key things that no one is really offering up for you is that you need to be familiar with how Windows shortcuts/LNK files are created. Knowing this can help you determine which LNK file, or files, to look at, as well as what to look for.

What folks generally mean when they say, "look at LNK files" is that *if* the user copied a file to a thumb drive and then opened the file from the thumb drive by double-clicking it, by default, a LNK file would be generated in the user's Recent folder (within the user profile; full path depends upon the version of Windows). This LNK file would point to the file on the removable storage device, and as part of the metadata within the LNK file, describe the volume as "removable media".

Also, a lot can depend on *how* the user saved the file to the thumb drive…copying the file is one thing, and opening the file via the native application and choosing "Save As…" is another thing. For example, depending upon the application used, you may find (for Windows 7 only) a Jump List that provides indications of a file opened from a removable storage device.

If you do find these indications in Jump Lists, you can use file system metadata analysis from the information in the LNK streams within the Jump Lists (you can also use this technique on LNK files themselves) in order to determine if the file was copied to the volume on the removable storage devices; however, again, this is predicated by the user opening the file once they've copied it to the removable media.

Some other things you might look at include files listed in the OpenSaveMRU subkey under the ComDlg32 key in the user's NTUSER.DAT hive, and the shell bags…these may provide indications of the user accessing the removable storage device via the Windows Explorer shell *and* repositioning/resizing the window.

Hope that helps.

 
Posted : 02/07/2012 10:06 pm
flamerescue150
(@flamerescue150)
Posts: 23
Eminent Member
 

What folks generally mean when they say, "look at LNK files" is that *if* the user copied a file to a thumb drive and then opened the file from the thumb drive by double-clicking it, by default, a LNK file would be generated in the user's Recent folder (within the user profile; full path depends upon the version of Windows). This LNK file would point to the file on the removable storage device, and as part of the metadata within the LNK file, describe the volume as "removable media".

Also, a lot can depend on *how* the user saved the file to the thumb drive…copying the file is one thing, and opening the file via the native application and choosing "Save As…" is another thing. For example, depending upon the application used, you may find (for Windows 7 only) a Jump List that provides indications of a file opened from a removable storage device.

If you do find these indications in Jump Lists, you can use file system metadata analysis from the information in the LNK streams within the Jump Lists (you can also use this technique on LNK files themselves) in order to determine if the file was copied to the volume on the removable storage devices; however, again, this is predicated by the user opening the file once they've copied it to the removable media.

Some other things you might look at include files listed in the OpenSaveMRU subkey under the ComDlg32 key in the user's NTUSER.DAT hive, and the shell bags…these may provide indications of the user accessing the removable storage device via the Windows Explorer shell *and* repositioning/resizing the window.

Hope that helps.

Well said. Thanks for spelling out in more detail where I was headed with the Lnk file idea. Good call on the shell bags as well. They're a small, yet important item that could easily be overlooked.

 
Posted : 03/07/2012 7:20 am
(@digitalcoroner)
Posts: 46
Eminent Member
Topic starter
 

This is very helpful,thank you. I have the usb device vid/pid/serial number are these the values that I'd find in the ntuserdat subkey you are referring to? I'm just trying to figure out a quick way to search for this as there are multiple profiles to sift through.

 
Posted : 03/07/2012 4:09 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

This is very helpful,thank you. I have the usb device vid/pid/serial number are these the values that I'd find in the ntuserdat subkey you are referring to? I'm just trying to figure out a quick way to search for this as there are multiple profiles to sift through.

USB Device analysis is a process that you need to follow…you don't get all of the information in question from one key or one source. You need to map the information you have to the MountedDevices key to get the volume GUID and then you can use that to map to the user's MountPoints2 key.

This process has been documented several times. I provide it in my WFAT 3/e book and Rob Lee has provided color-coded guides for that you need to use to get the information you want via the SANS Forensics blog. The information is available.

Since it isn't clear which version of Windows you're working with, or if you're working with a live system or an acquired image, I won't fill up the list with all of the various possibilities by writing out an encyclopedia. You can use tools such as RegRipper to get the necessary information, if you're analyzing an acquired image.

HTH

 
Posted : 03/07/2012 6:07 pm
(@cults14)
Posts: 367
Reputable Member
 

Regular readers will know I'm not really techie, however we need to be accurate in what we mean by copying files. Almost every internal case I'm involved with, someone asks me 'did <insert-name-of-suspect-here> copy any files off their system?'

My understanding is that no versions of Windows tracks - out of the box without any additional software anyway - standard Windows Copy&Paste or Move operations whether by mouse or keyboard shortcuts. The same applies to DOS copy and xcopy commands. So the answer to the above question is "I probably won't be able to tell you"

I usually end up looking for evidence of files having been accessed on external media via LNK files or jump lists, using any combination of FTK, LinkAlyzer, lslnk (Harlan's script), Windows File Analyzer, and JumpLister. I start by looking for anything where the original was on what is likely to be external media, and if I find anything then look at timestamps to see if it's relevant and if so then get into USB device analysis. Or sometimes I'll do it the other way around to see if there's any evidence of external media being connected in the time frame at issue, probably using Woanware's USBDeviceForensics. Which doesn't always work out if the suspect used an external drive which I don't have in my possession.

It's nice if a chump suspect opens a file on their internal hard drive, closes it, then a few seconds later opens it again from an external device; fairly strong circumstantial evidence. It just doesn't happen very much (

The SANS info is at http//computer-forensics.sans.org/blog/2009/09/09/computer-forensic-guide-to-profiling-usb-thumbdrives-on-win7-vista-and-xp/ BTW

HTH

 
Posted : 05/07/2012 6:50 pm
(@digitalcoroner)
Posts: 46
Eminent Member
Topic starter
 

Yes, you make a good point, it's really difficult to associate a user to a specific action when it comes to removable devices. If I don't see a mountpoint2 entry under the user's profile, then searching for other clues, such as lnk files, etc. seems to be useless as the user wouldn't be able to read/write from the device.

 
Posted : 05/07/2012 7:58 pm
Page 1 / 4
Share: