This is coming from one of the exercises in the DC3-2010 challenge.
You have an image of a thumb drive - newly formatted.
You have the system registry files, and an ntuser.dat file.
Question How to show that the thumb drive was inserted in to the machine.
Now before you go pulling all the standard USB stuff - remember, all you have is the image, and registry files.
1. The iSerialNumber of the USB device is not present on the image, it's queried from firmware. So that was a dead end.
2. I searched for the volume serial number in the registry but no joy.
When a thumb drive is inserted in to a machine, and you query the live registry, there is an interesting entry under HKU\..\Explorer\MountPoints2\CPC\Volume\{985b96c0-022c-11df-831e-000c29c3124b}\Data
It contains what appears to be the volume boot record. But this data is not present when the registry files are copied from a deadbox.
So, long story short, ?
Question How to show that the thumb drive was inserted in to the machine.
Very interesting question. I'll be interested to see what others post…hopefully, based on reasoning and experimentation, rather than speculation…
When a thumb drive is inserted in to a machine, and you query the live registry, there is an interesting entry under HKU\..\Explorer\MountPoints2\CPC\Volume\{985b96c0-022c-11df-831e-000c29c3124b}\Data
It contains what appears to be the volume boot record. But this data is not present when the registry files are copied from a deadbox.
Perhaps…
Quick questions
How is the USB device formatted?
Are there any files on it?
Are there any artefacts on it?
The challenge comes with three USB images - two of which have files. That's straight forward enough to check for.
The third is formatted FAT16 with no files present. It's this third one that is interesting - how to tell if it was inserted just by examining the registry files.
Anyway, still running some tests.
Have you tried to review the USBSTOR(s) registry keys?
There is also UVC view program for Windows.
Should give you a start.
There IS a great book on Windows Forensic Analysis and a reg tool written by someone on this forum (and even this thread) that would help you on your quest 😉
The third is formatted FAT16 with no files present. It's this third one that is interesting - how to tell if it was inserted just by examining the registry files.
Boy, it is hard when I can't see for myself. Two other questions, howver
Do you believe that the system from which you have the registries was the system used to format the USB device?
Is there any evidence that the formatting was done to overwrite a previously existing format?
There's no evidence. The challenge states that given three images of USB sticks, and just the registry files - provide a methodology to show if the USB sticks were ever inserted in to the machine from which the registry files were taken.
So it might be that it was never inserted, let alone formatted on that box.
I'll give that a shot, take a thumb drive and format it on a windows xp VM using regshot, to see the before and after for any registry artifacts left behind.
Douglas
Thanks for the suggestions. UVCview is a great program, unfortunately I only have the images of the thumb drives, not the actual thumb drives in question. UVCView queries the firmware of the inserted device.
Testing method
INSERT THUMBDRIVE REMOVE IT
INSERT THUMBDRIVE
REGSHOT #1
FORMAT THE DRIVE
REMOVE THE DRIVE
WAIT A BIT
REGSHOT #2
COMPARE
A bunch of volatile stuff is deleted (to do with the previously mentioned Mountpoints2 CPC area (i.e. in memory only unfortunately)
Many keys are/modified, but without knowing the iSerialnumber of the device and corresponding serial number/parentIDprefix in the registry, I don't believe I can prove anything.
[marq=right]Well b****r.[/marq]
PS The challenge may be to show that one cannot prove it, just not enough data. I'll probably conclude with that after I stew a bit longer. lol
Duh - that's right you are only working from the image sorry I missed that in the OP.
What are you using to view the image?
There's no evidence. The challenge states that given three images of USB sticks, and just the registry files - provide a methodology to show if the USB sticks were ever inserted in to the machine from which the registry files were taken.
Ahh! Well that is somewhat different. Based upon this description, I would think that you were given at least one positive (it had been inserted), and at least one negative and a third which either was or wasn't. If Iwere designing the experiment, I would give two positives and one negative, which appears to be what you have.
Therefore, if your methodology for 1 & 2 was correct, then you cannot conclude that 3 was attached and, furthermore, assuming that there were not deliberate manipulations of the registry, you have good evidence that it was not.
Funny, actually, that you should bring this up. Being a physician, I was about to write an article about how the medical diagnostic approach to disease in the individual had a great deal of relevance to digital forensics, but digital forensic practitioners tend to think of things in terms of absolutes, rather than likelihoods or probabilities.
In medicine, we don't have the luxury of being able to exhaustively test every possibility and so we have to rely on what is most likely, given what we can hope to know.
If your method is accurate in predicting that 1 & 2 were connected, it must also be able to state that 3 wasn't. Based solely upon what you have said, it wasn't.