USB Storage - Dates...
 
Notifications
Clear all

USB Storage - Dates in Registry  

  RSS
Cults14
(@cults14)
Active Member

OK, I'm pulling my hair out here. I need to know all the first and last dates possible for a USB storage device, from an E01 image.

I've tested on my own live system by plugging a USB device in (approx 1035 (GMT) 5th May 2010) and safely removing, and noting the times. Then a couple of hours later (approx 12.21 GMT) plugging it back in again, copy a file to it, and safely removing. Then used FTK Imager to export the System file and anlyse it using FTK Registry Viewer, and RegRipper.

Thing is, I've searched the whole hive in FTK Registry Viewer and all of the output from RegRipper using the Vendor (Freecom), Product (Databar), unique instance (AA04012700009213&0 - minus the &0), and Parent ID Prefix (7&51b13d1&0 - minus the &0).

And not one of the last written dates for any of the keys is anywhere near close - I mean at least a couple of hours out which is the first time I inserted the device today. I Shut Down and re-started and exported the System file again just in case - no difference though.

Last write times I'm getting are as follows
system\ControlSet002\Enum\USBSTOR\Disk&Ven_Freecom&Prod_DataBar_USB2.0&Rev_1100 - 02/10/2009 150417 UTC

system\ControlSet002\Enum\USBSTOR\Disk&Ven_Freecom&Prod_DataBar_USB2.0&Rev_1100\AA04012700009213&0 - 05/05/2010 103551 UTC

system\ControlSet002\Control\DeviceClasses\{53f5630a-b6bf-11d0-94f2-00a0c91efb8b}\##?#STORAGE#RemovableMedia#7&51b13d1&0&RM#{53f5630a-b6bf-11d0-94f2-00a0c91efb8b} - 05/05/2010 103551 UTC

system\ControlSet002\Control\DeviceClasses\{53f5630a-b6bf-11d0-94f2-00a0c91efb8b}\##?#STORAGE#RemovableMedia#7&51b13d1&0&RM#{53f5630a-b6bf-11d0-94f2-00a0c91efb8b}\# - 05/05/2010 103551 UTC

system\ControlSet001\Control\DeviceClasses\{53f5630a-b6bf-11d0-94f2-00a0c91efb8b}\##?#STORAGE#RemovableMedia#7&51b13d1&0&RM#{53f5630a-b6bf-11d0-94f2-00a0c91efb8b} - 05/05/2010 103551 UTC

system\ControlSet001\Control\DeviceClasses\{53f5630a-b6bf-11d0-94f2-00a0c91efb8b}\##?#STORAGE#RemovableMedia#7&51b13d1&0&RM#{53f5630a-b6bf-11d0-94f2-00a0c91efb8b}\# - 05/05/2010 103551 UTC

system\ControlSet001\Enum\STORAGE\RemovableMedia\7&51b13d1&0&RM - 05/05/2010 103551 UTC

system\ControlSet001\Enum\STORAGE\RemovableMedia\7&51b13d1&0&RM\LogConf - 02/10/2009 150417 UTC

I must doing something basically wrong here? Can anyone point me in the right direction?

XP Pro SP3. I've checked that ControlSet002 was the last good known one, but have checked the whole of everything anyway. I read that the Last Write time of the keys in "HKLM\System\CurrentControlSet\Enum\USBSTOR\device class ID\unique instance ID" show when the device was last connected to the system - I am looking in the right place aren't I?

Thanks in advance to anyone who can help me out.

Quote
Posted : 05/05/2010 8:02 pm
Fab4
 Fab4
(@fab4)
Active Member

You need to review the data beneath subkeys {53f56307-b6bf-11d0-94f2-00a0c91efb8b} (disks) and {53f5630d-b6bf-11d0-94f2-00a0c91efb8b} (volumes) rather than {53f5630a-etc}.

When parsed with RegRipper you will note a timestamp which is a ‘last write’ time which indicates when the device was last inserted.

With the unique instance number noted therein, you can correlate that to the Enum\USBStor key to verify this last write time and establish a timestamp that the device was first inserted to the host.

ReplyQuote
Posted : 05/05/2010 9:53 pm
Fab4
 Fab4
(@fab4)
Active Member

In addition;

You can verify your findings perhaps (assuming that another device has not since been mounted as that volume letter) by checking the volume letter that the USB device was mounted at (via unique instance ID) by using RegRipper to rip the system hive, under subkey MountedDevices. Then review the internet history for traces of 'file////, where the file name is the document that you accessed, listed at around the same time that your usb device was inserted. Also, take a look at LNK files perhaps - you may find reference to the volume letter therein.

Finally, how about the user profile's ntuser.dat hive…use RegRipper again to parse the RecentDocs subkey and other MRU lists.

ReplyQuote
Posted : 05/05/2010 10:09 pm
robtlee
(@robtlee)
New Member

From the guide I wrote

http//blogs.sans.org/computer-forensics/files/2009/09/USBKEY-Guide.pdf

For XP, the Last Time Device connected can only be found using the NTSER//SOftware/Microsoft/Windows/CurrentVersion/Explorer/MountPoints2/{GUID} -> Perform search for Device GUID.

All those other locations do not show the last time the device was connected.

The First Time Device Connected after Last Reboot is the DeviceClasses Key or the USB/VID_XXXX&PID_YYYY

First time device connected can be found out of the setupapi.log file.

I would also recommend this tool to help.

http//www.woany.co.uk/usbdeviceforensics/

Let me know if you have any more questions.

Best,
Rob

ReplyQuote
Posted : 06/05/2010 2:53 am
Cults14
(@cults14)
Active Member

Thanks for your input.

With the unique instance number noted therein, you can correlate that to the Enum\USBStor key to verify this last write time and establish a timestamp that the device was first inserted to the host

My understanding has been that setupapi.log is the only place to get the date of the first connection of a USB device to an XP host?

Rob - thanks. Have looked already at that document (have also got the one for drive enclosures), I was confused by the use of the terms "Volume GUID" (in MountedDevices) and "Device GUID"; these are the same thing right? Hope so, 'cos searching for the Volume GUID in MountPoints2 found the correct timestamp for the last connection time for the device.

I should perhaps explain that I'm a newbie with no peers at work to turn to for help, sometimes I feel a bit embarrassed about asking questions on this forum which I think more experienced people might see as being trivial. Thanks again, appreciate your assistance.

ReplyQuote
Posted : 06/05/2010 3:52 pm
Fab4
 Fab4
(@fab4)
Active Member

The First Time Device Connected after Last Reboot is the DeviceClasses Key or the USB/VID_XXXX&PID_YYYY

Thanks for your correction re last reboot on this point Rob, which may or may not be the last time that the USB device was inserted to the host.

First time device connected can be found out of the setupapi.log file.

Agreed. I was referring to use of RegRipper in replying to the OP on the point of when a device was first inserted to a host and I stand by my statement that this timestamp can be established and/or verified by reviewing the first timestamp noted beneath Enum\USBStor in most circumstances. I now recall an occasion where this timestamp was unreliable - it was obvious becuase all devices had timestamps within a second of each other. I've never got to the bottom of what circumstance(s) produced this situation, as it was not relevant to the case, but have casually wondered if it is related to an OS upgrade.

Therefore, yes, if the contents of setupapi.log remain it is more preferable.

For XP, the Last Time Device connected can only be found using the NTSER//SOftware/Microsoft/Windows/CurrentVersion/Explorer/MountPoints2/{GUID} -> Perform search for Device GUID.

Is this correct? I understand that, in relation to the GUID subkeys found beneath the MountPoints2 key, the last write time is in fact reflective of the time of its original creation and therefore cannot be used to determine the last time a device was connected, as suggested in your useful guide…

In a circumstance where the USB device of interest is historic and that a subsequent device has been mounted with the same drive letter, I believe that the 2nd timestamp offered by RegRipper beneath the Enum\USBStor subkeys are a better indicator of when a device was last connected, notwithstanding that is in fact accurately related to the first insertion since the last reboot.

The other sources of information that I mentioned in my previous posts may serve to corroborate this timestamp or otherwise.

Does anyone have a different approach to establishing a reliable time of last connection of a historic USB device?

ReplyQuote
Posted : 06/05/2010 10:05 pm
Share: