Notifications

Clear all

Simultaneous USB Last Write Times?

Cults14 · 2010-08-25T15:47:01Z

Hi, hope someone can help and also hope that I've not missed something obvious. I'm examining an image of a laptop drive which was used by a recently-departed employee who is suspected of moving confidential information out of the company. Quite apart from the fact that on the day before he left he appears to have connected a new U3 device and shortly afterwards run East-Tec Eraser, I don't understand the following.Using RegRipper , in System hive (USBStor ControlSet001EnumUSBStor) 61 USB devices are listed. Of these, 57 have exactly the same Last Write Time of Mon Apr 19 143234 2010. The other 4 all post-date these entries, as followsCdRom&Ven_Walletex&Prod_WalletFlash&Rev_PMAP [Mon Aug 9 150745 2010]Disk&Ven_Walletex&Prod_WalletFlash&Rev_PMAP [Mon Aug 9 150745 2010]Disk&Ven_SanDisk&Prod_Cruzer&Rev_8.02 [Thu May 6 221559 2010]Disk&Ven_Kingston&Prod_DataTraveler_2.0&Rev_1.00 [Tue May 4 211443 2010]The user had his laptop for about 4 years, there are three setupapi.log files (including .0.old and .1.old) and for example one of the devices with Apr 19th Last Write Time was installed on 18th June. On Apr 19th there are a large number of Windows Updates reported by RegRipper in SoftwareMicrosoftWindowsCurrentVersionUninstall, including XP3 update, various security updates for Windows XP, and various updates Windows XP. These commence at 153417 and finish at 155857.FYI the user appears to have logged off for the last time on August 10th.So my question is, what could have caused these simultaneous date/time stamps? I've tried Googling and also searched in FF but can't see anything related to this. Any pointers?OS is XP3 SP3Thanks

Page 2 / 2 Prev

General (Technical, Procedural, Software, Hardware etc.)

Last Post by Cults14 15 years ago

13 Posts

5 Users

0 Reactions

1,352 Views

RSS

keydet89

(@keydet89)

Famed Member

Joined: 21 years ago

Posts: 3568

27/08/2010 1:21 am

@dietro…do you have something to reference that supports this? Like I mentioned, while I'm curious, it's never really come up as part of an examination. Can you point to something…testing, a white paper….that supports this?

@Cults14 - Regslack is an awesome tool for locating deleted keys/values in the unallocated space within a hive file.

ReplyQuote

dietro

(@dietro)

Trusted Member

Joined: 20 years ago

Posts: 51

27/08/2010 4:01 am

@dietro…do you have something to reference that supports this? Like I mentioned, while I'm curious, it's never really come up as part of an examination. Can you point to something…testing, a white paper….that supports this?

Harlan, I've done "before and after" testing myself, and this very issue was a recent topic of conversation on the CCE mailing list. Several people relayed that in their testing as well, this behavior is a result of SP3 being installed on an existing XP installation.

However, Cults14 has already done the research on the image he's working on to give a VERY strong indication that this is precisely the cause.

From the original post

Using RegRipper , in System hive (USBStor ControlSet001\Enum\USBStor) 61 USB devices are listed. Of these, 57 have exactly the same Last Write Time of Mon Apr 19 143234 2010.

snippage

On Apr 19th there are a large number of Windows Updates reported by RegRipper in \Software\Microsoft\Windows\CurrentVersion\Uninstall, including XP3 update, various security updates for Windows XP, and various updates Windows XP. These commence at 153417 and finish at 155857.

I would suspect that the date/time that Cults14 found for the installation of SP3 is when the installation completed. Thus, the Last Write time for the 57 devices in the USBSTOR occurs at some point during the installation process.

Cults14, given that you have said your question was for informational purposes and would look elsewhere for definitive answers as to when the devices may have been connected, I would suggest Harlan's book(s), or you can download Rob Lee's cheat sheets for thumbdrives here

http//blogs.sans.org/computer-forensics/2009/09/09/computer-forensic-guide-to-profiling-usb-thumbdrives-on-win7-vista-and-xp/

And for USB drive enclosures here

http//blogs.sans.org/computer-forensics/2009/09/09/usb-key-analysis-vs-usb-drive-enclosure-analysis/

ReplyQuote

Cults14

(@cults14)

Reputable Member

Joined: 17 years ago

Posts: 367

Topic starter 27/08/2010 7:03 pm

dietro - thanks. Yes I've already got those cheat sheets tucked safely away on my HD for reference.

As a matter of interest, what CCE mailing list are you talking about? I've requested training & certification but not been granted yet, might fork out for it myself if my employer doesn't but it's a fair old bite out of the personal cash-flow. Can non-CCEs join?

Regards

ReplyQuote

Page 2 / 2 Prev

8 Forums
15.7 K Topics
92.3 K Posts
209 Online
41.1 K Members

Forum Icons: Forum contains no unread posts Forum contains unread posts

Topic Icons: Not Replied Replied Active Hot Sticky Unapproved Solved Private Closed