Hi guys
I have a disk image .E01 of an USB driver and it’s contain a text file, It says in text file to execute exe file in company computers! And the person executed the exe file in company computer.
Now my question is:
It’s possible to find the owner of the USB?
It’s just allowed to use FTK Imager.
It’s possible to find the owner of the USB?
It’s just allowed to use FTK Imager.
This sounds like a class assignment or proficiency test. Why are you not allowed to any other tool than FTK Imager?
As for your question: no, it is not, in general, possible to find out who owns a USB memory, in any legal sense of the word.
In general. It may be possible in certain settings.
Hi guys
I have a disk image .E01 of an USB driver and it’s contain a text file, It says in text file to execute exe file in company computers! And the person executed the exe file in company computer.
Now my question is:
It’s possible to find the owner of the USB?
It’s just allowed to use FTK Imager.
That is a drive (usually called thumbdrive or USB stick) NOT a driver.
How exactly would you expect to find the owner?
Do you expect that there is his/her signature (notarized) physically on the device or a fingerprint (but you only have a .E01 image of it) or that there is one in the contents inside the .txt or in the .exe - in this case digitally signed?
Or do you believe that from the serial number of the device (which again you don't have as you only have a .E01) you can look up the world records of authorized USB sticks owners?
@athulin
It does sound like a test/school assignment/exercise, but I wonder at what scope?
As a side note, and just for a quick laugh, it sounds a lot like the historical Irish Virus:
https://www.pandasecurity.com/mediacenter/security/manual-virus/
jaclaz
@athulin
It’s not test and I’m not student, I’m digital forensics, in fact I got this question from a friend
But my answer was check the name of Volume Labels, maybe he registered USB Stick in his name!
However it’s not good solution!
You pointed out good details, I think we get also more info when we decompile the .exe file and get the source code.
@athulin
It’s not test and I’m not student, I’m digital forensics, in fact I got this question from a friend
But my answer was check the name of Volume Labels, maybe he registered USB Stick in his name!
However it’s not good solution!
Friends don't ask this kind of questions, or - if they do - they don't "allow" to use anything, and surely not the use of FTK imager only.
BTW I would be curious to see the disassembly (calling it "source code" is quite a leap) of the .exe performed via FTK Imager (and compare it with the output of *any* de-compiler).
What (the heck) do you believe you can find in a de-compiled .exe?
Just for the record, the USB stick volumes labels tend to be usually "Data", "USB_stick", "Thumbforce1", NO_LABEL" and similar, though I have seen once one called "John".
jaclaz
Every IT forensic scientist knows that it is impossible to disassembly .exe code via FTK.
But the question was is it possible to find the owner of USB stick by using just FTK Imager or not!
The USB stick belong the virus creator or belong the person who execute .exe file?
Now the answer that I got is: NO
Hope he find another techniques and tools to discover the owner of USB stick.
Every IT forensic scientist knows that it is impossible to disassembly .exe code via FTK.
But the question was is it possible to find the owner of USB stick by using just FTK Imager or not!
The USB stick belong the virus creator or belong the person who execute .exe file?
Now the answer that I got is: NO
Hope he find another techniques and tools to discover the owner of USB stick.
The whole point is that the answer is a much bigger NO.
The question, besides being extremely futile by limiting it to the use of FTK Imager, makes no sense whatsoever even if you lift off that limitation.
I.e. if you rephrase the question as:
Is it possible, by using any method known to men, including - say - a photonic-cyber-tera-phragmanitron and/or a mega-hyper-trimblefuser, to discover the owner of a USB stick[1] with only a .txt and .exe on it?
The answer remains NO.
Now, if you further rephrase in more forensic terms, i.e. more along the lines of:
Are there "standard" (OS, filesystem, mounting) artifacts created on a USB stick capable of leading to its owner?
The answer remains NO.
Of course IF the USB Stick was used by someone that saved on it his/her personal data and later -say - quick formatted the volume, you may be able to recover some of these files containing personal data.
At which point you have to ask to yourself:
How can I prove that the personal data I found correspond to the owner of the USB stick?
And the answer is you cannot, the data could have been planted on purpose or be related to a previous owner that lost the USB stick, etc., etc.
jaclaz
[1] of course assuming that by chance the data on it does not contain ID/personal data or that the owner did not intentionally provide this information, like those that come with a readme.txt in root *like*:
Hallo,
if you are reading this, likely I am a lost (and now found) USB stick.
My owner is xxxx xxxxxxxx, e-mail xxxxxxx@somesite.com, it would be nice if you could drop a line there.
A reward will be granted for returning this stick to the owner.
Although this might not assist I have often wondered if a USB serial number was known could it be used to trace where it was purchased from?