Dear all
During a recent Incident Response, we have come across a very peculiar problem and I need advice on how to tackle it. My organisation does not permit the use of USB mass storage devices as a policy, except on certain designated computers. During a routine security check, we found evidence of recent USB mass storage devices on a non-designated computer. Further investigation revealed that these USB devices had been used on multiple computers and all these computers are on a Windows Domain.
We, in accordance with org policy, picked up the concerned computers and the two USB devices and started examining them. During the investigation we found the following-
(a) All the computers (05 of them) had USBSTOR entries showing usage of these two USB devices in 2015 and this was corroborated by the apisetup data but there were no subsequent entries in apisetup, even though there SHOULD have been some changes in the device driver(s) these last four years. The owner claims that the USBSTOR entries have been created even though the USB drives were under lock-and key and have not been used. After taking possession of the USB devices, we asked the owner if there were any subsequent USBSTOR entries in the 15 odd days where the USB drives were in OUR physical possession. And he has promptly produced two instances where the USBSTOR shows the devices to have been used!!
I have a distinct feeling that there is something funny going on because I am not aware of any mechanism where the USB logs can replicate themselves with different date-time stamps even in a Domain environment. I need advice on how to nail this thing down and get to the bottom of it and determine if there is tampering of logs or something like that. Will appreciate any pointers or advice.
Not possible to remotely help. Look out for an India Forensic Ltd,.
…we found evidence of recent USB mass storage devices on a non-designated computer.
What was the evidence? How were you able to determine that it was 'recent'?
(a) All the computers (05 of them) had USBSTOR entries showing usage of these two USB devices in 2015 and this was corroborated by the apisetup data but there were no subsequent entries in apisetup, even though there SHOULD have been some changes in the device driver(s) these last four years.
"2015" doesn't sound 'recent'.
Can you elaborate as to why there should have been changes?
What you presented is comprehensive, albeit confusing. As it has been presented, the issue goes back and forth between 'recent', and 2015 (i.e., "not recent"), without providing the source of the "evidence".
Also, it would be very helpful to know the versions of Windows of these 5 systems.
Is it possible that all 5 of the systems are from the same gold image, and that image was the one to which the USB devices were connected?
I would add that if the five (2015) instances have exactly the same date/time, then it could be the case of a "gold image", if they are different date/times, not so much.
I am perplexed by the procedure you used, however
we asked the owner if there were any subsequent USBSTOR entries in the 15 odd days where the USB drives were in OUR physical possession. And he has promptly produced two instances where the USBSTOR shows the devices to have been used!!
Which implies that you told the owner about your partial findings in detail and implicitly gave him/her the possibility to create fake artifacts (not necessarily what happened, still …) . ?
Depending on a number of factors it is possible (with the specific Mass Production tool) to create a "perfect clone" of a USB stick (same serial) maybe the devices have been "perfectly cloned"? (a very unlikely possibility, BTW)
jaclaz
How do you know the USBs you collected are the ones that created the USBSTOR entries? for me, serial numbers are not enough.
I've seen duplicate entries before - because the computer was built from a standard image in which the USB device had been connected to facilitate the building of said baseline image. These artifacts were thus present on every build from that point on.
Consider that scenario