USB devices indetif...
 
Notifications
Clear all

USB devices indetification in Win XP and Win 7 problem

11 Posts
4 Users
0 Likes
649 Views
(@fraudit)
Posts: 72
Trusted Member
Topic starter
 

Dear all,

I've got two comps/hdds of the same person - the one is older (let's call it 'old' system - running Win XP Sp3) and the other is its replacement (let's call it 'new' system - running Win 7 Enterprise SP1). Fortunately the old one hasn't been wiped so all necessary data is there.

I'm almost sure that some questionable files were located at USB thumb drives attached to both computers.

What I did so far
1. I analyzed lnk files on both computers and located those redirecting to external storages - it looked that 'old' comp assigned mostly Z drive and 'new' - mostly G drive to USB drives
2. I analyzed MountedDevices registry key and extracted the records under Z drive on 'old' system and G drive on 'new' system
3. based on ParentIdPrefix on 'old' system - found USD drives' serial numbers / for 'new system' I believe serial numbers are accessible directly without necessity to use ParentIdPrefix
4. compared the thumbs serial numbers and… found no matching numbers (

Well, what I did later is identified all serial numbers of the USD drives ever attached to both system and looked for matches - I found 5 of them. However, none of the found ones was assigned Z drive letter on 'old' system and G drive letter on 'new' system. 😯

My question is can I rely on the drive letters the lnk files point to? Or should I rather look for any USB drives connected to both 'old' and 'new' system, regardless of drive letters they had assigned?

I don't have those USB drives, of course - what I want to do is to suggest that the custodian drives should be examined looking for the questionable files the lnk files point to. However, I believe I need their serial numbers to prove they were connected to both systems. Does an assigned drive letter actually matters here? Or is it irrelevant as e.g. it can be changed/overwritten with a different one when reconnecting the USB drive?

I hope this is clear what I wrote… Feel free to ask as many questions as you need. I would really appreciate your remarks here!

 
Posted : 25/09/2012 8:30 pm
evee
 evee
(@evee)
Posts: 7
Active Member
 

Hey,

there are some essential key points when investigating USB-drives.

First you need to have a look at a few registry keys. I would suggest using RegRipper to parse NTUSER.DAT and the SYSTEM hive. This should give you a similar overview to the external devices plugged in at some time.

Another method if you want to produce some nice output or be more the "visual type" I can suggest
http//www.nirsoft.net/utils/usb_devices_view.html

This will give you a aggregation.

Drive letters and serial nr. must not be unique or inter device compatible!
If a "no-name" device is connected and has no own serial nr., windows will choose a random one (often leaded by zeros)

If you are looking for traces of data on those devices shellbags could be a good starting point.

 
Posted : 25/09/2012 9:09 pm
(@fraudit)
Posts: 72
Trusted Member
Topic starter
 

I did use Nirsoft USBDeview and Windows Registry Recovery by MiTeC for my examination. But still I don't want to fully rely on Nirsoft tool and verify manually everything I can. I went through all keys I found relevant which were
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR\
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceClasses
HKEY_LOCAL_MACHINE\SYSTEM\MountedDevices
and of course MountedPoints2 in NTUSER.DAT )

My problem is what should I base on - shall I stick to the drive letters as reported in lnk files? Or just completely disregard them?

As to serial numbers - indeed some of the attached USB drives were apparently some ad-gadgets manufactured by some strange companies. For those either there was some S/N or no S/N but some Win-generated number. Only a few were branded ones and for those I can rely on S/Ns I believe.

 
Posted : 25/09/2012 9:25 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

My question is can I rely on the drive letters the lnk files point to? Or should I rather look for any USB drives connected to both 'old' and 'new' system, regardless of drive letters they had assigned?

You're going to have to look further in order to identify all devices connected to the systems in question. There are additional keys that are of importance in what you're attempting to determine.

Here's a good visual reference from SANS
http//computer-forensics.sans.org/blog/2009/09/09/computer-forensic-guide-to-profiling-usb-thumbdrives-on-win7-vista-and-xp/

I covered the process for identifying USB devices connected to a system in "Windows Forensic Analysis 2/e" (XP), as well as in "Windows Forensic Analysis Toolkit 3/e" (Win7).

HTH

 
Posted : 25/09/2012 9:26 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

Also
http//www.forensicfocus.com/index.php?name=Forums&file=viewtopic&t=6443
http//nabiy.sdf1.org/index.php?work=usbHistory
http//sourceforge.net/projects/usbhistory/

jaclaz

 
Posted : 25/09/2012 10:25 pm
(@fraudit)
Posts: 72
Trusted Member
Topic starter
 

Thanks a lot to everybody for all of the above suggestions!

They ensured me everything I did was correct in terms of data extraction. It looks like my problem is more in the interpretation part of the exercise - at least I wish it was like that… That's the rookie's problem - it's relatively easy to re-create certain activities but when it comes to interpreting the results….

Anyway - I can tell what devices were connected to each laptop and which of them were connected to both of them (though I'm concerned with those generic ones). But I'm not able to definitely tell that the files I'm looking are/were at the USB thumb drive with specified serial - aren't I?

From what I read I understood that registry stores the letter that was assigned to a drive last time only, it doesn't store all letters it ever was mounted as. Thus - e.g. if a drive was mounted as Z and the files were accessed but then the drive was removed and mounted for the second time as let's say X but the same files were not accessed - the lnk file will keep 'old' drive (i.e. Z) but the registry will tell me that the drive was last time given X letter and will not remember that before it used to be assigned to Z. Ufff… Am I correct? )

 
Posted : 25/09/2012 10:57 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

.. Am I correct? )

Yes, but you can use available Restore Points (XP) or Volume Shadow Copies (Win7) to get historical information such as previous drive letter assignments.

 
Posted : 25/09/2012 11:02 pm
(@fraudit)
Posts: 72
Trusted Member
Topic starter
 

Thanks Harlan!

I need to refresh your certain parts of your publications. Even though I'm familiar with restore points approaching, the VSC is still a bit hard to me. That's another experience weakness - most of the systems I worked on (an there weren't that many of them) were XPs…

 
Posted : 25/09/2012 11:07 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

Even though I'm familiar with restore points approaching, the VSC is still a bit hard to me.

Accessing VSCs is covered pretty well in Chapter 3 of "Windows Forensic Analysis Toolkit 3/e".

 
Posted : 25/09/2012 11:23 pm
evee
 evee
(@evee)
Posts: 7
Active Member
 

Accessing VSCs is covered pretty well in Chapter 3 of "Windows Forensic Analysis Toolkit 3/e".

I am sleeping with this book under my pillow… was one of my first DFIR books. Didn't know much about VSCs back then and it helped me a lot )

 
Posted : 25/09/2012 11:42 pm
Page 1 / 2
Share: