Folks, I have a case in which an employee copied intellectual property of her employer to a USB hard drive (Iogear ION) just before leaving that company to join a competitor. I can see the device listed by name in link files and jump lists. But its not listed by name ("ION 1") in the Registry nor in the SetupAPI.dev.logs. Furthermore, no other external USB storage devices are listed by hard drive manufacturer for the period this person used the computer exclusively. Her mobile phones are listed as is an iPod. But nothing more. Other devices that had been attached to the machine before she took it are listed also.
I am suspecting that some sort of anti-forensic program was used. Am I going in wrong direction? Is the Register and SetupAPI file not reliable?
Any help or suggestions would be appreciated.
Have you looked at all the applications on the machine?
Recently opened files, network shortcuts, recent runs, IE/FF/Chrome history for other methods of file transfers? Temp folders, event logs, flash, java, etc apps?
Maybe it is not seen as a USB drive but as a USB <-> IDE bridge.
Assuming this is a Windows platform then check out HKEY_LOCAL_MACHINE\SYSTEM\MountedDevices and see what devices are mapped to \DosDevices\ and that should give you a clue.
Alan
Folks, I have a case in which an employee copied intellectual property of her employer to a USB hard drive (Iogear ION) just before leaving that company to join a competitor. I can see the device listed by name in link files and jump lists. But its not listed by name ("ION 1") in the Registry nor in the SetupAPI.dev.logs.
This may be the case if the name that you're referring to ("ION 1") is the volume name.
Furthermore, no other external USB storage devices are listed by hard drive manufacturer for the period this person used the computer exclusively. Her mobile phones are listed as is an iPod. But nothing more. Other devices that had been attached to the machine before she took it are listed also.
I am suspecting that some sort of anti-forensic program was used. Am I going in wrong direction? Is the Register and SetupAPI file not reliable?
Have you looked for indications of the use of anti-forensic programs? If so, where. The Registry (not "Register") is generally very reliable with respect to the information that's there. Also, it doesn't sound as if you're looking at all of the available information that's in the Registry regarding attached devices. Based on what you've presented here, the device could very well be listed…you may simply be looking for the wrong thing.
I'm willing to assist, as much as you'd be willing to provide information.
HTH
Here is what I've analyzed thus far
SetupAPI.dev.log
HKEY/LocalMachine/System/CurrentControlSet/Enum/USBSTOR and USB
HKEY/LocalMachine/SYSTEM/CurrentControlSet/MountedDevices
Various Registry MRU Lists and the UserAssist Key
System Volume Information
Windows 7 Jump Lists (on both allocated and unallocated clusters)
Windows 7 Shortcut Files (on both allocated and unallocated clusters) - numerous link files pointing to employer data on Drive F\ - identified by volume as ION 1 (ION 1 F\Clients…, etc).
Web browser records, specifically IE 8 History and Cache - accesses of employer files on Drive F
Webmail cache (on both allocated and unallocated clusters) - subject uses Yahoo Mail and she did in fact transfer employer data to herself this way
Outlook 2010 cache and .ost files
Partially overwritten and fragmentary data recovered from unallocated clusters.
So, I have a pretty good idea of what she transferred and where she transferred it - an external USB hard drive identified as "ION 1" on Volume F.
BUT, THERE AINT NO EXTERNAL USB HARD DRIVE LISTED IN THE REGISTRY OR IN THE SETUPAPI LOG FOR THE TIME PERIOD SHE USED THE COMPUTER!
Other external devices are listed (Seagate FreeAgent Go!, Seagate and Western Digital Hard Drives, USB flash memory keys) but these were all attached prior to the subject taking control of the computer. They belong to someone else. Her mobile phones are listed (RIM Blackberry and Apple iPhone) and an MP3 Player. But nothing else.
So I'm weighing the possibility that she used an anti-forensic program to wipe traces of her use of this device.
Has anybody every heard of such a program?
I will look into the USB > IDE Bridge
I have not recovered any wiping programs from the image but I have also not reviewed the SOFTWARE hive either.
I don't suppose the computer has a firewire port on it?
I see the ION devices come in many flavors, including firewire connectivity, so you could be looking for a 1394 device?
Just a thought
No, it does not. But it does have an eSata port right next to a USB port and I had overlooked that - I thought it was a broken USB port. Shame on me.
Any knowledge on how Windows 7 handles eSata drives?
Just found an article at
http//
Lots of chatting about the HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Msahci setting and AHCI mode being enabled in the BIOS to allow eSATA devices to be correctly detected by Win7.
Careful of them rabbit holes though..
I'd be hammering the registry for things like UserAssist values (progams run, uninstallers run, etc), even looking for deleted reg keys, running a supertimeline, etc. You could easily spend hours looking for something related to the broken USB port. )
David,
A couple of things…
As I'm sure you're well aware, the entries beneath the USBStor key aren't used to determine the last time (or the first time during the most recent boot session) that the USB device was plugged into the system.
From an investigative standpoint, if your goal is to verify if/when this "ION" device was connected to the system, there are a couple of things to consider.
The first thing I'd consider is this…how do you *know* that the device is a USB external HDD?
Second, you said that there were indications that she'd connected phones and an iPod to the system…I've found on my systems that if I connect a thumb drive that gets mounted to F\, disconnect it and the connect another device, it gets mounted to F\, which overwrites/obviates the first device being mounted as F\, via the MountedDevices key. So, I wouldn't expect to find much there.
Did you find any indication of the device in the DeviceClasses subkey? How about in the "Windows Portable Devices" key in the Software hive? The EMDMgmt key?
Also, I had suggested earlier that if you do feel that an anti-forensics tool was used, did you look in the UserAssist subkeys and the MUICache key for indications of such a tool? Did you check the unallocated space within the Registry hive files for deleted keys?
Since this is apparently a Windows 7 system, have you mounted the image as a volume and accessed VSCs from the time frame in question (if they're available)? It's possible that a VSC was created after the device was attached and before an anti-forensics tool was run…if that's actually what happened (which may not be the case).
Do you have a checklist for USB device analysis?
Yeah, I've got that 9 step checklist and I followed it. I could get to Step 4 before the trail was lost, simply because the device is not there. I could actually walk it back from Step 9 but ran into the same hole around Step 6.
So, its either NOT a USB device or something has happened.
I've been assuming that the drive is USB, but motivated by a question posted earlier, I discovered that there is an eSata port right next to the USB port on this laptop.
You're additional suggestions sound good and I'm going to try them.