Find the owner of U...
 
Notifications
Clear all

Find the owner of USB driver

14 Posts
5 Users
8 Reactions
3,870 Views
(@tony75)
Posts: 33
Eminent Member
Topic starter
 

Hi guys

I have a disk image .E01 of an USB driver and it’s contain a text file, It says in text file to execute exe file in company computers! And the person executed the exe file in company computer.

Now my question is:

It’s possible to find the owner of the USB?

It’s just allowed to use FTK Imager.

 
Posted : 11/07/2020 12:24 am
(@athulin)
Posts: 1156
Noble Member
 
Posted by: @tony75

It’s possible to find the owner of the USB?

It’s just allowed to use FTK Imager.

This sounds like a class assignment or proficiency test. Why are you not allowed to any other tool than FTK Imager?

As for your question: no, it is not, in general, possible to find out who owns a USB memory, in any legal sense of the word. 

In general. It may be possible in certain settings. 

 
Posted : 11/07/2020 6:17 am
Tony75 reacted
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 
Posted by: @tony75

Hi guys

I have a disk image .E01 of an USB driver and it’s contain a text file, It says in text file to execute exe file in company computers! And the person executed the exe file in company computer.

Now my question is:

It’s possible to find the owner of the USB?

It’s just allowed to use FTK Imager.

That is a drive (usually called thumbdrive or USB stick) NOT a driver.

How exactly would you expect to find the owner?

Do you expect that there is his/her signature (notarized) physically on the device or a fingerprint (but you only have a .E01 image of it) or that there is one in the contents inside the .txt or in the .exe - in this case digitally signed?

Or do you believe that from the serial number of the device (which again you don't have as you only have a .E01)  you can look up the world records of authorized USB sticks owners?

@athulin
It does sound like a test/school assignment/exercise, but I wonder at what scope?

 

As a side note, and just for a quick laugh, it sounds a lot like the historical Irish Virus:

https://www.pandasecurity.com/mediacenter/security/manual-virus/

jaclaz

 

 

 

 

 
Posted : 11/07/2020 10:21 am
shovelry and Tony75 reacted
(@tony75)
Posts: 33
Eminent Member
Topic starter
 

@athulin

@jaclaz

It’s not test and I’m not student, I’m digital forensics, in fact I got this question from a friend

But my answer was check the name of Volume Labels, maybe he registered USB Stick in his name!

However it’s not good solution!

 
Posted : 11/07/2020 11:26 am
(@tony75)
Posts: 33
Eminent Member
Topic starter
 

@jaclaz

You pointed out good details, I think we get also more info when we decompile the .exe file and get the source code.

 

 
Posted : 11/07/2020 11:35 am
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 
Posted by: @tony75

@athulin

@jaclaz

It’s not test and I’m not student, I’m digital forensics, in fact I got this question from a friend

But my answer was check the name of Volume Labels, maybe he registered USB Stick in his name!

However it’s not good solution!

Friends don't ask this kind of questions, or - if they do - they don't "allow" to use anything, and surely not the use of FTK imager only.

BTW I would be curious to see the disassembly (calling it "source code" is quite a leap) of the .exe performed via FTK Imager (and compare it with the output of *any* de-compiler).

What (the heck) do you believe you can find in a de-compiled .exe?

Just for the record, the USB stick volumes labels tend to be usually "Data", "USB_stick", "Thumbforce1", NO_LABEL" and similar, though I have seen once one called "John".

jaclaz

 
Posted : 11/07/2020 12:47 pm
shovelry reacted
(@tony75)
Posts: 33
Eminent Member
Topic starter
 

@jaclaz

@athulin

Every IT forensic scientist knows that it is impossible to disassembly .exe code via FTK.

But the question was is it possible to find the owner of USB stick by using  just FTK Imager or not!

The USB stick belong the virus creator or belong the person who execute .exe file?

Now the answer that I got is: NO

Hope he find another techniques and tools to discover the owner of USB stick.

This post was modified 4 years ago by Tony75
 
Posted : 11/07/2020 1:38 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 
Posted by: @tony75

@jaclaz

@athulin

Every IT forensic scientist knows that it is impossible to disassembly .exe code via FTK.

But the question was is it possible to find the owner of USB stick by using  just FTK Imager or not!

The USB stick belong the virus creator or belong the person who execute .exe file?

Now the answer that I got is: NO

Hope he find another techniques and tools to discover the owner of USB stick.

The whole point is that the answer is a much bigger NO.

The question, besides being extremely futile by limiting it to the use of FTK Imager, makes no sense whatsoever even if you lift off that limitation.

I.e. if you rephrase the question as:
Is it possible, by using any method known to men, including - say - a photonic-cyber-tera-phragmanitron and/or a mega-hyper-trimblefuser, to discover the owner of a USB stick[1] with only a .txt and .exe on it?

The answer remains NO.

Now, if you further rephrase in more forensic terms, i.e. more along the lines of:
Are there "standard" (OS, filesystem, mounting) artifacts created on a USB stick capable of leading to its owner?

The answer remains NO.

Of course IF the USB Stick was used by someone that saved on it his/her personal data and later -say - quick formatted the volume, you may be able to recover some of these files containing personal data.

At which point you have to ask to yourself:

How can I prove that the personal data I found correspond to the owner of the USB stick?

And the answer is you cannot, the data could have been planted on purpose or be related to a previous owner that lost the USB stick, etc., etc.

jaclaz

 

[1] of course assuming that by chance the data on it does not contain ID/personal data or that the owner did not intentionally provide this information, like those that come with a readme.txt in root *like*:
Hallo,

if you are reading this, likely I am a lost (and now found) USB stick.

My owner is xxxx xxxxxxxx, e-mail xxxxxxx@somesite.com, it would be nice if you could drop a line there. 

A reward will be granted for returning this stick to the owner.

 

 
Posted : 11/07/2020 2:25 pm
shovelry and Tony75 reacted
(@tony75)
Posts: 33
Eminent Member
Topic starter
 

@jaclaz

Thank you for the explanation.

 
Posted : 11/07/2020 3:10 pm
(@jmundy)
Posts: 25
Eminent Member
 

Although this might not assist I have often wondered if a USB serial number was known could it be used to trace where it was purchased from?

 
Posted : 13/07/2020 7:04 am
Page 1 / 2
Share: