±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 36231
New Yesterday: 0 Visitors: 146

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

Looking for USB Device Information

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
 
  

4n6art
Senior Member
 

Looking for USB Device Information

Post Posted: Nov 27, 12 12:22

Hello All:

I'm getting about 5-6 USB (thumb) drives and need to check them to see if they were ever connected to a target computer.

I do not have the target computer, but do have an E01 image of the HD from said target computer. From that I was able to, using USBDeview, get information on the USB drives that were connected to that target machine.

Question: What is the best method to do this?
- If I were to connect the USB drive to a Tableau USB write blocker, would the LCD display on the Tableau give me the same information as USBDeview did? Would Tableau Disk Monitor do it? (It's late right now and I will be checking this tomorrow) Alternatively, will the USBSTOR registry key store the information about the actual drive being connected to the writeblocker or only store the writeblocker information?

- I could write block the USB ports on the forensic machine using registry edits and then plug the drive in directly to the machine to get the registry keys to populate. Is that the best method?

- Should I delete the entries that are already in the registry for previously inserted USB devices and then insert the drives and check to see what entries the new USB drives make? If so, does anyone know what keys I should delete (keys will be backed up ofcourse Smile ) I guess I could compare the "control" USBDeview report (as in before any of the suspect drives were inserted) to the new one (after each drive is inserted individually) but that is going to be a headache....

Appreciate any help from the well of knowledge as to how I should proceed in this.
Thanks
-=Art=-  
 
  

jaclaz
Senior Member
 

Re: Looking for USB Device Information

Post Posted: Nov 27, 12 15:24

You can clear *completely* the USBstor related keys before connecting the device, besides USBdeview:
www.nirsoft.net/utils/..._view.html
(which you can use to clean the current entries) Nirsoft also makes clean after me:
www.nirsoft.net/utils/...er_me.html
that may clear other logs.

Also, you can experiment with USBlogview:
www.nirsoft.net/utils/..._view.html
Code:
USBLogView is a small utility that runs in the background and records the details of any USB device that is plugged or unplugged into your system. For every log line created by USBLogView, the following information is displayed: Event Type (Plug/Unplug), Event Time, Device Name, Description, Device Type, Drive Letter (For storage devices), Serial Number (Only for some types of devices), Vendor ID, Product ID, Vendor Name, Product Name, and more...



A list of keys is given here:
www.msfn.org/board/top..._p__888222
cannot say if *complete*.

jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 
 
  

keydet89
Senior Member
 

Re: Looking for USB Device Information

Post Posted: Nov 27, 12 17:24

- 4n6art

Question: What is the best method to do this?


I'd go ahead and follow 'best practices' guidelines; I wouldn't want to write to the devices, so I'd hook them up to a write-blocker and connect them to a test system, documenting the process to the point where it is repeatable. Once you've connected the devices, you can easily view either the setupapi.log or setupapi.dev.log file (depending upon the version of Windows to which you've connected the device) in order to get the necessary information, and correlate that to the Registry key information.

- 4n6art

- If I were to connect the USB drive to a Tableau USB write blocker, would the LCD display on the Tableau give me the same information as USBDeview did? Would Tableau Disk Monitor do it? (It's late right now and I will be checking this tomorrow)


This might depend on the model number of the write-blocker. You'll have to let us know.

- 4n6art

Alternatively, will the USBSTOR registry key store the information about the actual drive being connected to the writeblocker or only store the writeblocker information?


Well, in my experience, the write-blocker only prevents the device from being written to, so the necessary information is queried and populated just fine. But again, you'll have to let us know.

However, it should take you all of 15 min (at the most) to test that with a known good device.

Now, you may run into devices that do not have a "unique" serial number, and Windows will need to assign one to the device when it's connected. If this is the case, you may still have some very valuable data available to you, depending upon the version of Windows within the .EOx file.  
 
  

4n6art
Senior Member
 

Re: Looking for USB Device Information

Post Posted: Nov 27, 12 21:51

Thanks for your replies Jaclaz and Harlan. Here's what I have from testing so far:
Apologies for the long explanation


Examination machine is Win7 Pro.

Writeblocker: Tableau USB Writeblocker T8
- Attached multiple USB thumb drives while having USBLogView running.
- Each time the plug/unplug was detected by USBLogView BUT the USB information was for the Tableau.
- Interestingly, USBLogView shows the make/model of the USB drive (eg: SanDisk Cruzer) in the Description column but the S/N, VID and PID information is all for the Tableau (ie. it never changes for other USB thumbdrives attached)

- Confirmed using USBDeview that the S/N of the thumbdrive was NOT being captured, only the info for the Tableau.
Weird... I would have thought that the thumbdrive information would have been captured.

- When I connected a test USB Hard drive (like a WD Passport) to the Tableau, it was not even recognized - possibly because the tableau didn't have enough power at the USB port to power the USB HD? (I dont know). When the USB HD was plugged in directly to the USB port on the computer, it worked fine.
- This (the USB HD connection) was tested with the Tableau connected to the front USB ports and the ones in the back off the motherboard just to be sure there was no power issues. The USB HD was not recognized - in fact one of them started to click (thankfully it worked later LOL)

On the Tableau T8. If you press the MENU button till you see USB Device Info and then press ENTER (about 4 times) you see the display show the Serial Number of the USB Thumbdrive, which matches the S/N when the thumbdrive is plugged in directly to the computer.

Repeated Tests with a WiebeTech USB Writeblocker
- Same results for Thumbdrive: Only the WiebeTech information was visible in USBLogView and USBDeview.
- Same results for USB HD: Unable to recognize - possible power issue off USB Port.
- Same result for USB HD on both front and back USB ports.

Software writeblocking works - shows S/N of the thumbdrive in USBLogView and USBDeview.

Looks like I will either be using the Tableau and photographing each thumbdrive with the S/N display screen or using the software writeblocker and running the USBLogView and USBDeview reports. Haven't decided which (or both).

Hope this helps someone....
-=Art=-  
 
  

4n6art
Senior Member
 

Re: Looking for USB Device Information

Post Posted: Nov 27, 12 22:42

I forgot to add:

If you use Tableau Disk Monitor with the T8, it will show you the same S/N of the actual USB thumbdrive once it is attached to the T8. You can export the device information to a TXT file from the TDM.

-=Art=-  
 
  

jaclaz
Senior Member
 

Re: Looking for USB Device Information

Post Posted: Nov 27, 12 22:47

Only marginally OT, and as a "general rule" NEVER trust the amount of power a USB port of any device can deliver, and NEVER underestimate the power draw the connected device may need.

ALWAYS use an Y cable connected to a reliable 5 V power supply, with overload/short protection capable to provide 1A.

This is my experience in data recovery, but basically you have NO idea in which condition a device is until you power it, a hard disk if underpowered may "decide" to stop rotating (and a head crash is likely), another one may need far more than the target current to start up (because of bearing stiction or whatever), the device could well have been been powered originally by an Y cable (because "by design" it already needed more than 500 mA).
It is even well possible that a disk is "shorted" (for whatever reason) and though the USB ports of a PC do have "electronic fuses" in most if not all cases, it is not "smart" to trigger them (and BTW more often than not the disk is not working and you cannot understand why).

For USB stick this is normally not needed as they are all in the 100 or 200 mA range, bit external 2.5" hard disks are always very near the 500 mA (and older models much above that, up to 1A)

jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 
 

Page 1 of 1