Join Us!

USB Removable Stora...
 
Notifications
Clear all

USB Removable Storage Devices  

Page 1 / 2
  RSS
l600dan
(@l600dan)
New Member

Hi, I'm looking at a case (in Encase v5.05c) and have noticed that a usb removable storage device was used. Does anyone know how I can tell WHEN this was first plugged in OR get any other date related info as to when it was last used, etc.

Quote
Posted : 23/02/2007 2:50 pm
l600dan
(@l600dan)
New Member

Oops! Just realised there are other posts containing helpful info on this board. Only fools rush in….

ReplyQuote
Posted : 23/02/2007 3:33 pm
keydet89
(@keydet89)
Community Legend

Email me at keydet89 at yahoo dot com if you're still having trouble with it…this is covered in detail in my upcoming book.

H

ReplyQuote
Posted : 23/02/2007 5:09 pm
CI2019
(@ci2019)
Member

Book? wink

ReplyQuote
Posted : 24/02/2007 12:56 am
keydet89
(@keydet89)
Community Legend

Yes. I've blogged about it.

ReplyQuote
Posted : 25/02/2007 4:40 pm
OldDawg
(@olddawg)
Active Member

I'm looking forward to this book when it comes out, but in the mean time, there's a really good white paper on this site written by Nathan Weilbacher that explains a good bit.

ReplyQuote
Posted : 26/02/2007 5:05 am
keydet89
(@keydet89)
Community Legend

Jerry,

I found Nathan's paper on LNK files…where's his white paper on USB devices?

Thanks,

Harlan

ReplyQuote
Posted : 26/02/2007 5:37 am
steve862
(@steve862)
Active Member

Hi,

If this is a Windows computer then you might look for the setupapi.log file which contains a log of devices being attached to the computer and Windows attempts to install a driver for those devices. This file is really a mass of text but you can of course search it using a keyword. This is a good way of getting a first detected by Windows date (and most likely install).

The second thing you can do is look in the registry to establish what drive letter it was assigned and look through the drive for records from the local file history access (index.dat). Any manual saving or opening of files (via clicking on in Explorer) will be present here.

Steve

ReplyQuote
Posted : 26/02/2007 3:14 pm
keydet89
(@keydet89)
Community Legend

Steve,

> …look in the registry to establish what drive letter it was assigned…

Where in the Registry would one look for this?

Thanks,

H

ReplyQuote
Posted : 26/02/2007 4:19 pm
steve862
(@steve862)
Active Member

H,

In some cases it is easy, in cases where there are a lot of attached devices it can take some time and may become a process of elimination.

Having established the current control set (which initialise case in EnCase does) you browse under two keys; HKLM/System/ControlSetnnn/MountedDevices to see what drive letters have been assigned. The other keys to check are all under HKLM/System/ControlSetnnn/Enum. The name of the USB device as Windows has put it will be found under the USBSTOR key (although a user could configure a USB drive to act like a fixed disk, in which case it might not appear here). In simple cases the the data contained under the relevant entries of these two keys, which is in unicode will match in some way. In cases where it does not it becomes a case of trying to match up the other drive letters to the installed devices and you are then left with one drive letter and the one (USB) device. Where there are multiple partitions on a single hard drive it is possible to identify what drive letters were assigned to each partition by looking at the starting cluster of each partition and looking for the hex strings under mounted devices that match. The calculation is [starting cluster x 2] convert to HEX. You then look for that hex value (running backwards as it is little endian) within each drive letter under the MountedDevices key. By this process of elimination you can work out what drive letters remain. CD/DVD type devices are almost always very obvious and of course some devices won't create a drive letter, such as some phones, cameras (they create their own file transfer/browser). Eventually you will be left with fewer devices and drive letters to match up until they are all matched.

There is one side issue…..previous control sets might show the same device having been assigned a different drive letter at some point. It's a bit like the issue of how do we know the BIOS date and time were always correct.

If you work out the drive letter assigned to your USB pen drive and you then find file access entries on the Windows partition relating to that drive letter and maybe the files on the USB drive will match the entries on the Windows partition, then this would be the sort of evidence you would want to have to show the USB drive in use.

It's a bit of a difficult thread to explain, sorry if it hasn't read too smoothly. I guess this is why we still go on training courses so that people can show us rather than type in some instructions. I was shown the method of marrying up drive letters to devices and it still wasn't all plain sailing.

Steve

ReplyQuote
Posted : 26/02/2007 5:10 pm
keydet89
(@keydet89)
Community Legend

Steve,

Very good! I was probing to see how much folks had learned and picked up… you're synopsis of what needs to be done is excellent. I've written similar explanations before and simply gotten tired of rewriting it over and over (someone could do a search on FF…hint, hint…) and decided to include it in my next book.

Here's the process in a nutshell

1. The enum\USBStor key (note to all I sincerely hope that everyone knows how to determine the current control set from just the System file and don't rely solely on the EnCase enscript) contains subkeys that are the device class IDs. You can search for these IDs in the setupapi.log file to see when the devices were *first* connected to the system.

2. The device class IDs contain a subkey for each device in that class, and that is a unique instance ID. The unique instance ID may be the serial number located in the device's device descriptor (you can view this with UVCView from MS, and no, it is not part of the memory area of the device). If the device doesn't have a serial number, the PnP Manager creates one, with a "&" as the _second_ character.

3. The unique instance ID key has a value called "ParentIdPrefix". Thumb drives will have this value, as will iPods and digital cameras. Fixed, external HDDs don't.

4. You can use the ParentIdPrefix to map a thumb drive to the drive letter to which it was mapped under the MountedDevices key.

5. You can use the serial number to map to the appropriate DeviceClasses subkey to see when the disk device was last connected to the system. You can also use the ParentIdPrefix value to map to the volume device and get the same info.

> …..previous control sets might show the same device having been assigned a different drive letter at some point.

This is true, particularly if multiple devices have been plugged into the system. This is why we use the ParentIdPrefix to map to the drive letter. Also, this is true, as well, for XP System Restore Points.

> I guess this is why we still go on training courses so that people can
> show us rather than type in some instructions. I was shown the method
> of marrying up drive letters to devices and it still wasn't all plain sailing.

I guess it depends upon the training. I'm giving a Windows forensic pilot in a couple of weeks and we go into this in detail…but not using EnCase. I want everyone to understand *how* this is done, and not be dependent upon a particular tool. That way, you not only understand it, but you understand things when they're different.

HTH,

ReplyQuote
Posted : 26/02/2007 5:42 pm
OldDawg
(@olddawg)
Active Member

Jerry,

I found Nathan's paper on LNK files…where's his white paper on USB devices?

Thanks,

Harlan

Hmmm, you are correct. I was thinking of Nathan's LNK files paper…

ReplyQuote
Posted : 27/02/2007 4:52 am
keydet89
(@keydet89)
Community Legend

ah, okay. I thought I'd missed something.

Thanks,

H

ReplyQuote
Posted : 27/02/2007 5:03 am
elmurado
(@elmurado)
Junior Member

Hi Harlan,
When you say this here

Do you mean by using the values specified in
HKEY_LOCAL_MACHINE\SYSTEM\Select ?
Is this the same across all Windows OS'es?

ReplyQuote
Posted : 27/02/2007 11:28 am
keydet89
(@keydet89)
Community Legend

elmurado,

For Windows NT and up (ie, 2000, XP, 2003, etc), yes, those are the same values for all versions.

You'd be surprised at the number of folks who do forensic analysis of Windows systems but don't know this.

H

ReplyQuote
Posted : 27/02/2007 4:46 pm
Page 1 / 2
Share: