same usb at the sam...
 
Notifications
Clear all

same usb at the same time !!  

Page 1 / 2
  RSS
qassam22222
(@qassam22222)
Active Member

hello all ….
im working on case … when i attached the image to autopsy i got this result for attached usb's … kindly i need an explanation for that !!!

Quote
Posted : 23/05/2018 10:22 am
chad131
(@chad131)
Member

hello all ….
im working on case … when i attached the image to autopsy i got this result for attached usb's … kindly i need an explanation for that !!!

This happens a lot. Check the System event logs for a system update around the same date/time. Some of these will just globally stomp USBSTOR registry dates.

This doesn't mean you are totally out of luck, check the other registry dates/times as well as searching the event logs for the USB serials.

ReplyQuote
Posted : 23/05/2018 1:50 pm
shakes6791
(@shakes6791)
New Member

I would recomend generating a timeline or just parsing out the MFT record. This might give you some insight to what might have ticked these dates/times.

Depending on the OS there are lots of places you might be able to find additional attachment dates. Also, check to see if there are any VSC and hopefully the dates/times arent also stepped on.

Best of luck!

ReplyQuote
Posted : 23/05/2018 3:32 pm
keydet89
(@keydet89)
Community Legend

This is yet another case of "know your tools"…where is that data being pulled from? If it's from the USBStor Registry keys in the System hive, that time stamp does NOT show when the USB devices were last connected.

Depending upon the version of Windows you're looking at, if you're interested in when the devices were last connected to the system, you might want to look in other locations in the Registry, or in the Windows Event Log.

HTH

ReplyQuote
Posted : 23/05/2018 6:31 pm
UnallocatedClusters
(@unallocatedclusters)
Senior Member

qassam22222,

I would run multiple tools against the evidence and then compare the results

Passmark's OSForensics (free 30 day trial)

Magnet Forensics' IEF (not sure if there is a free trial but I believe they would provide you with one)

Free to use USB tools

http//www.woanware.co.uk/forensics/usbdeviceforensics.html

http//www.4discovery.com/our-tools/

http//www.nirsoft.net/utils/usb_devices_view.html

ReplyQuote
Posted : 23/05/2018 6:51 pm
ntexaminer
(@ntexaminer)
Junior Member

This is a common occurrence, particularly when the last write time of a registry subkey is the only data source used to identify an event (such as when a device was last connected). The key is to use multiple sources of data to corroborate, such as several locations within the registry hives, event log records, etc. Using multiple locations to corroborate your findings will help to increase your overall confidence in the reliability of your results as well as to identify locations that should not be relied upon in your examination.

In addition to the tools mentioned, I suggest you take a look at USB Detective - https://usbdetective.com , which was developed to help address issues like the one you're seeing. It leverages multiple sources of data for the reported timestamps and visually distinguishes timestamps that are consistent across multiple data sources from those that have inconsistencies.

ReplyQuote
Posted : 23/05/2018 8:32 pm
qassam22222
(@qassam22222)
Active Member

This is a common occurrence, particularly when the last write time of a registry subkey is the only data source used to identify an event (such as when a device was last connected). The key is to use multiple sources of data to corroborate, such as several locations within the registry hives, event log records, etc. Using multiple locations to corroborate your findings will help to increase your overall confidence in the reliability of your results as well as to identify locations that should not be relied upon in your examination.

In addition to the tools mentioned, I suggest you take a look at USB Detective - https://usbdetective.com , which was developed to help address issues like the one you're seeing. It leverages multiple sources of data for the reported timestamps and visually distinguishes timestamps that are consistent across multiple data sources from those that have inconsistencies.

i convert the image to virtualbox then i installed USB Detective but i think i stil have te same issue i cant understand what's happen here ( take a look

ReplyQuote
Posted : 03/06/2018 11:13 am
jaclaz
(@jaclaz)
Community Legend

… then i installed USB Detective but i think i stil have te same issue i cant understand what's happen here ( take a look .

Yes, the issue remains, that timestamp has been (clearly) altered by *something". the point of above suggestions was to use SEVERAL different tools (not "just another one", or "the last one" suggested) and COMPARE results of ALL the tools suggested (+ possibly a few more, even "minor" ones may shed a light).
Like
https://sourceforge.net/projects/smallusbhistory/
http//www.softpedia.com/get/Windows-Widgets/System-Utilities/USB-History-GUI.shtml

Here you can find yet another tool, and a very clear explanation, listing some of the "less commonly checked" timestamp sources
https://tzworks.net/prototype_page.php?proto_id=13

By comparing the results of various tools and, as already suggested, making a full timeline you may (or may not, or only partially) answer these three questions
1) When did the actual device been actually connected last time?
2) What (event/tool/command) actually did the "common" timestamping?
3) When did the "common" timestamping occur?

As an example (and as an example only) the USB Historian
http//www.4discovery.com/our-tools/
checks also the MountPoint2 date (which may or may not help).

jaclaz

ReplyQuote
Posted : 03/06/2018 12:20 pm
ntexaminer
(@ntexaminer)
Junior Member

Thanks for posting your screenshot to illustrate. For the timestamps that are the same, what is the source? You can find this by hovering over the value or double-clicking the cell for the verbose output.

USB Detective evaluates numerous locations for each data point displayed in the results grid. For example, it queries the Enum\USB hierarchy, MountPoints2, USBSTOR Properties, WPDBUSENUM Properties, multiple event logs (if provided), and more in an attempt to find the last connected time of a device. It will then color the timestamp's cell in the results grid based on the consistency or lack thereof across the queried data points and allow you to see the source from which each identified value was located. Your screenshot indicates that, for the last connected cells with no highlighting, only one data source was available. Since many/most of the timestamps are the same, it also tells you that it's probably an unreliable data source.

If the OS is Windows 7 or later, event logs may be very helpful to fill in the gaps here, as Harlan mentioned earlier.

ReplyQuote
Posted : 03/06/2018 8:13 pm
qassam22222
(@qassam22222)
Active Member

hey all …. maybe im getting close to solve this issue maybe not this is final result's for my case ….

At first What I care about is about that date 20/03/2018 !! why that date ! because the guy who uses this computer he was in jail at that time !! and other examiners have begun to blame others .

so i start from autopsy report that shows …

when i read about RegBack dir i fount this …

ollowing on from timestamps and how I said they shouldn’t be trusted, I am now going to talk about…. timestamps! The RegBack folder holds a backup copy of the Registry Hives and is located %system32%\config\regback

source https://hatsoffsecurity.com/2014/05/29/regback-folder-update-times/

when i look inside the image via FTK i discover that RegBack file is created at the same date

then i decided to look inside event log because the guy in the above link i mentioned said changes in the timestamps related to windows updates or maintenance !!


but the update is failed !! here i started to feel confused !!

then i start to look about " connected USB's event's " in

Connection Event IDs

When a USB removable storage device is connected to a Windows 7 system, a number of event records should be generated in the Microsoft-Windows-DriverFrameworks-UserMode/Operational event log. The records include those with Event ID 2003, 2004, 2005, 2010, 2100, 2105, and more

source https://df-stream.com/2014/01/the-windows-7-event-log-and-usb-device/

last date that show that user insert a USB is 2/7/2018 nothing found in ( 20/03/2018 )

then i start to use another tools to check plug's USB's

so smallusbhistory and USB-History-GUI said nothing plug in to the computer at that date and also event logs …. should i trust them and is this sufficient evidence to face the judge in court to prove that there is no any UBS attached on that computer at that time ??

and is there any steps does not right for what i mentioned above if there please correct me

ReplyQuote
Posted : 04/06/2018 11:17 am
jaclaz
(@jaclaz)
Community Legend

You are seemingly still putting in the same basket *any* trace related to the given date, without considering the time

From the screenshots of the various tools you posted, it seems to me that a line must be drawn.

With reference to the USB Detective screenshot you posted here
https://www.forensicfocus.com/Forums/viewtopic/p=6594615/#6594615

You have a set of timestamps, ALL on 2018/03/20, that can be divided in two
1) 82520 AM
2) various times in the interval between 10305 PM and 15050 PM

Timestamps in #1 are not backed up/confirmed by *anything else* (so it is likely that they do not represent what happened), timestamps in #2 have some confirmations, so it is likely that they are an accurate representation.

Timestamps related to Registry backup are much earlier (still on the same day) between 55926 AM and 61654 AM, and as well the attempt to Windows update is at 75934 AM, so all this activity should be unrelated.

Again, you need to make a COMPLETE TIMELINE and from that possibly obtain some more based theory of what happened.

As a side note I find if not suspect at least "queer" that (with the owner in jail) the system was on (at all) but particularly that it was on so early as (at the very least) before 6 o'clock in the morning.

jaclaz

ReplyQuote
Posted : 04/06/2018 11:56 am
qassam22222
(@qassam22222)
Active Member

how i can create a timeline ? i try log2timeline it's create a big size CVS file 2GB i can't open it with excel !!
is there any way to filter it ? or open it via any free tool ?
or is there any other method or tool to create timeline ?

ReplyQuote
Posted : 08/06/2018 2:11 am
UnallocatedClusters
(@unallocatedclusters)
Senior Member

Qassam,

As my friend and mentor Jaclaz would say, “you are looking at this backwards 😯 “.

What series of human activities are you trying to prove or disprove happened?

Are you, for example, attempting to determine if there is evidence on the computer beyond a reasonable doubt that a specific individual (1) logged into a Windows user account (confirm Windows SID first! Also determine what other Windows SIDs were also logged in concurrently), the (2) launched a browser and logged into a VPN service (check browser caches and saved passwords), then (3) searched for contraband torrents (browser history caches), then (4) downloaded a specific torrent file (check internet explorer history), then (5) launched eMule (check MAC metadata for eMule .lnk file and .exe files and registry values), then (6) downloaded contraband files, etc etc. etc.

As independent experts we should only form opinions based upon evidence that any qualified peer could 100% replicate.

I am confused why your coworkers are now “looking at other people”. Are you not the computer forensic examiner on the case? What specific activities (and supporting forensic evidence) are your colleague basing their suspicions on? Is it something you could verify or prove false through your own forensic analysis? I would start there.

ReplyQuote
Posted : 08/06/2018 3:12 am
jaclaz
(@jaclaz)
Community Legend

how i can create a timeline ? i try log2timeline it's create a big size CVS file 2GB i can't open it with excel !!
is there any way to filter it ? or open it via any free tool ?
or is there any other method or tool to create timeline ?

http//record-editor.sourceforge.net/Record02.htm

http//recsveditor.sourceforge.net/

jaclaz

ReplyQuote
Posted : 08/06/2018 9:57 am
qassam22222
(@qassam22222)
Active Member

hello friends sorry for the late replay …. but i was in vacation for 15 days )
i convert the whole image to timeline via log2timeline tool and this the result ….

for the usb's at the same time

i found this 2 event's in timeline before multi usb's start appear in the log …

1- [102 / 0x0066] Source Name Microsoft-Windows-TaskScheduler Strings ['MicrosoftWindowsSystemRestoreSR' 'NT AUTHORITYSYSTEM' '{C227776E-C9C8-4755-8D76-5301D50CA1DF}'] Computer Name MOFFICE_2.*******.ps Record Number 104352 Event Level 4

2- [201 / 0x00c9] Source Name Microsoft-Windows-TaskScheduler Strings ['MicrosoftWindowsSystemRestoreSR' '{C227776E-C9C8-4755-8D76-5301D50CA1DF}' 'CWindowssystem32rundll32.exe' '0'] Computer Name MOFFICE_2.******.ps Record Number 104351 Event Level 4

according to microsoft this event's mean

102 means the Task Completed

201 means the Action Completed

the windows start update registry values from ( 2018-03-20T082512.997855+0200 ) to 2018-03-20T082608.763045+0200 then to this event id

[1016 / 0x03f8] Source Name Microsoft-Windows-ReadyBoost Strings ['2018-03-20T082608.047003600Z' '0' '702' '1'] Computer Name MOFFICE_2.*****.ps Record Number 1611 Event Level 4

1016 i dont now what this event mean (
8224 Event ID 8224 is simply information, indicating that VSS is done doing what it was doing, and has now gone idle.

does this even't and process clear why multi usb's appears by autopsy and can u explain to me what is happen here ?

then after i goo deep in logs i found that computer is being used at that time )

as u c there are some portable disks and usb's plugged to the pc in different times …
another confirmation from the log

and another

and logs shows that some one running ipconfig command on the system and save the output to the C/ driver

I think this is enough evidence that there are other people involved in this case ?

ReplyQuote
Posted : 25/06/2018 9:54 am
Page 1 / 2
Share: