Join Us!

Find the owner of U...
 
Notifications
Clear all

Find the owner of USB driver  

  RSS
Tony75
(@tony75)
Junior Member

Hi guys

I have a disk image .E01 of an USB driver and it’s contain a text file, It says in text file to execute exe file in company computers! And the person executed the exe file in company computer.

Now my question is:

It’s possible to find the owner of the USB?

It’s just allowed to use FTK Imager.

Quote
Posted : 11/07/2020 12:24 am
Topic Tags
athulin
(@athulin)
Community Legend
Posted by: @tony75

It’s possible to find the owner of the USB?

It’s just allowed to use FTK Imager.

This sounds like a class assignment or proficiency test. Why are you not allowed to any other tool than FTK Imager?

As for your question: no, it is not, in general, possible to find out who owns a USB memory, in any legal sense of the word. 

In general. It may be possible in certain settings. 

ReplyQuote
Posted : 11/07/2020 6:17 am
Tony75 liked
jaclaz
(@jaclaz)
Community Legend
Posted by: @tony75

Hi guys

I have a disk image .E01 of an USB driver and it’s contain a text file, It says in text file to execute exe file in company computers! And the person executed the exe file in company computer.

Now my question is:

It’s possible to find the owner of the USB?

It’s just allowed to use FTK Imager.

That is a drive (usually called thumbdrive or USB stick) NOT a driver.

How exactly would you expect to find the owner?

Do you expect that there is his/her signature (notarized) physically on the device or a fingerprint (but you only have a .E01 image of it) or that there is one in the contents inside the .txt or in the .exe - in this case digitally signed?

Or do you believe that from the serial number of the device (which again you don't have as you only have a .E01)  you can look up the world records of authorized USB sticks owners?

@athulin
It does sound like a test/school assignment/exercise, but I wonder at what scope?

 

As a side note, and just for a quick laugh, it sounds a lot like the historical Irish Virus:

https://www.pandasecurity.com/mediacenter/security/manual-virus/

jaclaz

 

 

 

 

ReplyQuote
Posted : 11/07/2020 10:21 am
Tony75 liked
Tony75
(@tony75)
Junior Member

@athulin

@jaclaz

It’s not test and I’m not student, I’m digital forensics, in fact I got this question from a friend

But my answer was check the name of Volume Labels, maybe he registered USB Stick in his name!

However it’s not good solution!

ReplyQuote
Posted : 11/07/2020 11:26 am
Tony75
(@tony75)
Junior Member

@jaclaz

You pointed out good details, I think we get also more info when we decompile the .exe file and get the source code.

 

ReplyQuote
Posted : 11/07/2020 11:35 am
jaclaz
(@jaclaz)
Community Legend
Posted by: @tony75

@athulin

@jaclaz

It’s not test and I’m not student, I’m digital forensics, in fact I got this question from a friend

But my answer was check the name of Volume Labels, maybe he registered USB Stick in his name!

However it’s not good solution!

Friends don't ask this kind of questions, or - if they do - they don't "allow" to use anything, and surely not the use of FTK imager only.

BTW I would be curious to see the disassembly (calling it "source code" is quite a leap) of the .exe performed via FTK Imager (and compare it with the output of *any* de-compiler).

What (the heck) do you believe you can find in a de-compiled .exe?

Just for the record, the USB stick volumes labels tend to be usually "Data", "USB_stick", "Thumbforce1", NO_LABEL" and similar, though I have seen once one called "John".

jaclaz

ReplyQuote
Posted : 11/07/2020 12:47 pm
Tony75
(@tony75)
Junior Member

@jaclaz

@athulin

Every IT forensic scientist knows that it is impossible to disassembly .exe code via FTK.

But the question was is it possible to find the owner of USB stick by using  just FTK Imager or not!

The USB stick belong the virus creator or belong the person who execute .exe file?

Now the answer that I got is: NO

Hope he find another techniques and tools to discover the owner of USB stick.

This post was modified 4 weeks ago by Tony75
ReplyQuote
Posted : 11/07/2020 1:38 pm
jaclaz
(@jaclaz)
Community Legend
Posted by: @tony75

@jaclaz

@athulin

Every IT forensic scientist knows that it is impossible to disassembly .exe code via FTK.

But the question was is it possible to find the owner of USB stick by using  just FTK Imager or not!

The USB stick belong the virus creator or belong the person who execute .exe file?

Now the answer that I got is: NO

Hope he find another techniques and tools to discover the owner of USB stick.

The whole point is that the answer is a much bigger NO.

The question, besides being extremely futile by limiting it to the use of FTK Imager, makes no sense whatsoever even if you lift off that limitation.

I.e. if you rephrase the question as:
Is it possible, by using any method known to men, including - say - a photonic-cyber-tera-phragmanitron and/or a mega-hyper-trimblefuser, to discover the owner of a USB stick[1] with only a .txt and .exe on it?

The answer remains NO.

Now, if you further rephrase in more forensic terms, i.e. more along the lines of:
Are there "standard" (OS, filesystem, mounting) artifacts created on a USB stick capable of leading to its owner?

The answer remains NO.

Of course IF the USB Stick was used by someone that saved on it his/her personal data and later -say - quick formatted the volume, you may be able to recover some of these files containing personal data.

At which point you have to ask to yourself:

How can I prove that the personal data I found correspond to the owner of the USB stick?

And the answer is you cannot, the data could have been planted on purpose or be related to a previous owner that lost the USB stick, etc., etc.

jaclaz

 

[1] of course assuming that by chance the data on it does not contain ID/personal data or that the owner did not intentionally provide this information, like those that come with a readme.txt in root *like*:
Hallo,

if you are reading this, likely I am a lost (and now found) USB stick.

My owner is xxxx xxxxxxxx, e-mail [email protected], it would be nice if you could drop a line there. 

A reward will be granted for returning this stick to the owner.

 

ReplyQuote
Posted : 11/07/2020 2:25 pm
Tony75 liked
Tony75
(@tony75)
Junior Member

@jaclaz

Thank you for the explanation.

ReplyQuote
Posted : 11/07/2020 3:10 pm
Jmundy
(@jmundy)
New Member

Although this might not assist I have often wondered if a USB serial number was known could it be used to trace where it was purchased from?

ReplyQuote
Posted : 13/07/2020 7:04 am
passcodeunlock
(@passcodeunlock)
Senior Member

@jmundy: sure, unless it's not some noname pendrive, each vendor has a very precise lot numbering, production date, unique identifiers, etc., and the life of the pendrive can be traced from the factory to the first end-user. The real question is if a vendor answers you at all and would they trace it for you ?! Depends who is asking, but generally it's a ...NO! Good luck there 🙂

ReplyQuote
Posted : 13/07/2020 8:15 pm
jaclaz
(@jaclaz)
Community Legend
Posted by: @jmundy

Although this might not assist I have often wondered if a USB serial number was known could it be used to trace where it was purchased from?

No.

The "world records of authorized USB sticks owners" I jokingly referred to does not exist and with the possible exception of SANDISK (which is different from most other manufacturers) what passcodeunlock stated is more wishful thinking that anything else.

The actual production of "common" USB sticks is roughly as follows (monoliths are slightly different as they have no case):

1) the actual stick (PCB and components soldered to it) is produced in large, large numbers
2) the case, plastic or plastic+metal is produced
3) the stick is put into the case and (usually) sealed in it (ultrasonic plastic welding)
4) the stick is manually connected to a PC and setup (groups of 8/10/12 sticks are connected to PC's with the same number of USB ports) with the "manufacturer's tools", which usually do some 4 things:
5a. memory chip type, size etc. settings are written to the device
5b. memory is actually tested (maybe)
5c.type of device (removable, fixed, partitioned, etc.) is written to device and one or more filesystems
5d.the serial number is written to the device
6) a device found working/passing the tests is packaged in a single blister or similar
7) a shipping box is filled with these blisters/single packages
8) shipping boxes are stacked
9) some of these boxes (at random) are taken from the stack and sent to a wholesaler/distributor
10) the whoilesaler/distributor open these boxes, randomly takes out of them a given number of packages and sends them to the shop
11) the shop takes a single item from these smaller box and sells it to you

3) and 4) may be done in  reverse order, and as well sub-points in #5 may be done in a different order)

Any of the macro-steps above from 1) to 9) may take place in a same factory or in several diffrent factories.

Up to steps 5 the actual stick has no serial anyway.
Steps 5 are performed "in parallel", i.e. there are tens of PC's (and people) processing the sticks at the same time, and besides my personal doubt that the serial numbers are coorrdinated and synced among these several workstations (so it is IMHO entirely possible that a serial is duplicated) it has to be seen if the serial is added before or after the "quality" test (if it is done before, some serials simply won't exist, so the serials won't be really sequential).

Anyway even IF serials were sequential, there is nothing on the physical stick or in the single (blister) packaging about it, and even IF from the factory a box of - say - 1000 pieces actually ships containing stick with serials 00000001 to 00001000 (which as said it is not given) there are steps 10) and 11) that will mix up things.

jaclaz

ReplyQuote
Posted : 14/07/2020 10:42 am
Jmundy
(@jmundy)
New Member
Posted by: @jaclaz
Posted by: @jmundy

Although this might not assist I have often wondered if a USB serial number was known could it be used to trace where it was purchased from?

No.

The "world records of authorized USB sticks owners" I jokingly referred to does not exist and with the possible exception of SANDISK (which is different from most other manufacturers) what passcodeunlock stated is more wishful thinking that anything else.

The actual production of "common" USB sticks is roughly as follows (monoliths are slightly different as they have no case):

1) the actual stick (PCB and components soldered to it) is produced in large, large numbers
2) the case, plastic or plastic+metal is produced
3) the stick is put into the case and (usually) sealed in it (ultrasonic plastic welding)
4) the stick is manually connected to a PC and setup (groups of 8/10/12 sticks are connected to PC's with the same number of USB ports) with the "manufacturer's tools", which usually do some 4 things:
5a. memory chip type, size etc. settings are written to the device
5b. memory is actually tested (maybe)
5c.type of device (removable, fixed, partitioned, etc.) is written to device and one or more filesystems
5d.the serial number is written to the device
6) a device found working/passing the tests is packaged in a single blister or similar
7) a shipping box is filled with these blisters/single packages
8) shipping boxes are stacked
9) some of these boxes (at random) are taken from the stack and sent to a wholesaler/distributor
10) the whoilesaler/distributor open these boxes, randomly takes out of them a given number of packages and sends them to the shop
11) the shop takes a single item from these smaller box and sells it to you

3) and 4) may be done in  reverse order, and as well sub-points in #5 may be done in a different order)

Any of the macro-steps above from 1) to 9) may take place in a same factory or in several diffrent factories.

Up to steps 5 the actual stick has no serial anyway.
Steps 5 are performed "in parallel", i.e. there are tens of PC's (and people) processing the sticks at the same time, and besides my personal doubt that the serial numbers are coorrdinated and synced among these several workstations (so it is IMHO entirely possible that a serial is duplicated) it has to be seen if the serial is added before or after the "quality" test (if it is done before, some serials simply won't exist, so the serials won't be really sequential).

Anyway even IF serials were sequential, there is nothing on the physical stick or in the single (blister) packaging about it, and even IF from the factory a box of - say - 1000 pieces actually ships containing stick with serials 00000001 to 00001000 (which as said it is not given) there are steps 10) and 11) that will mix up things.

jaclaz

What's the point of a serial number then?

ReplyQuote
Posted : 14/07/2020 7:28 pm
jaclaz
(@jaclaz)
Community Legend
Posted by: @jmundy

What's the point of a serial number then?

The serial number is an identifier hopefully "unique" (as said it is not necessarily "unique" in an absolute sense, but when combined to device ID - Vid & Pid - it is quite frankly very, very unlike that a collision happens), useful (and used) by the Windows MountManager and other parts of Windows.

But  - as another example - they can be a form of authentication/validation, there are programs that are installed (and validated) with a connection to the specific USB stick (i.e. the program won't run on a "normal" clone of the stick),

Unless you use the suitable "manufacturer tool" the serial cannot be changed with any "normal" tool, so if you find "physically" a USB stick, check its Vid&Pid, serial and it is (say) Vid_0951&Pid_1665 and  AC220B280A431051E97C05E1, and you examine a Windows PC and usbdeview (or similar, anyway artifacts in the Registry, like USB\Vid_0951&Pid_1665\AC220B280A431051E97C05E1) tells you that last Plug/Unplug date for that serial is (still say) 02/08/2018 11.53.59, it is reasonable to state that that particular stick has been last connected on that particular date/time. 

jaclaz

ReplyQuote
Posted : 14/07/2020 7:49 pm
Share: