USB storage device ...
 
Notifications
Clear all

USB storage device - last connected  

  RSS
Cults14
(@cults14)
Active Member

Using Rob Lee's guide to profiling Windows 7 USB Keys/Thumbdrives, in order to determine the last connected time of a device step 9 states (as one option) to record the date/time of registry key SYSTEM\CurrentControlSet\Enum\USB\VID_XXXX&PID_YYYY

On a Win7 Enterprise SP1 system I'm examining, there are many keys under SYSTEM\CurrentControlSet\Enum\USB, starting with
SYSTEM\ControlSet001\Enum\USB\VID_0000&PID_0000\6&3189bb0f&0&2 and ending with SYSTEM\ControlSet001\Enum\USB\VID_8644&PID_8003\0351400000002218

There are some 35 devices listed under SYSTEM\CurrentControlSet\Enum\USBStor, all of which have corresponding entries in SYSTEM\CurrentControlSet\Enum\USB\

Thing is, all but four of the entries in SYSTEM\CurrentControlSet\Enum\USB\ are dated Mar 5th 2014 @ 194941 - the other four are all dated 7th Mar 2014 although not all with the same time

Can anyone point me in the right to direction to understand how these keys all get the same last write time?

Have used TZWorks utility and double-checked using AccessData Registry Viewer

Cheers

P.S. I haven't looked at the other option Rob Lee suggests - yet

Quote
Posted : 25/04/2014 10:08 pm
jhup
 jhup
(@jhup)
Community Legend

Check to see if there was an update/patch/fix to the target with a same date/time stamp as majority of the keys in questions have. I have seen fixes touch numerous keys' date/time.

ReplyQuote
Posted : 25/04/2014 10:50 pm
Cults14
(@cults14)
Active Member

Check to see if there was an update/patch/fix to the target with a same date/time stamp as majority of the keys in questions have. I have seen fixes touch numerous keys' date/time.

Thanks, will try on Monday, am away this weekend

)

ReplyQuote
Posted : 26/04/2014 3:04 am
Cults14
(@cults14)
Active Member

Have checked Windows Logs (Application, Security, Setup, System, Forwarded) and can't see anything close (within a minute or so) of the timestamps in question.

Have also checked all the other Microsoft-Windows logs (the ones nested in Event Viewer)

Only things remotely close (circa 1 minute away) are event 7036 in System, all relate to Computer Browser entering started/stopped states which I don't believe is related

And I have confirmed that I've reconciled diffences bewteen registry last write times in UTC and Event Logs in local time (Mountain Standard, no daylight savings)

Anyone got any more thoughts? Am running some tests on USB flash drive and USB Enclosure hoping to find more indicators of last connection time, looking at Microsoft-Windows-DriverFrameworks-UserMode for the moment

Cheers

ReplyQuote
Posted : 28/04/2014 10:02 pm
ntexaminer
(@ntexaminer)
Junior Member

You should find indicators of flash drive connections and disconnections in the Microsoft-Windows-DriverFrameworks-UserMode/Operational event log on a Windows 7 system (assuming this logging is not disabled). I wrote a little bit about this here and released a batch script for parsing the event log using Log Parser here. If the time frame you're interested in is fairly recent, you may be able to find the events you're after in the current log. You could also check previous versions in the VSCs if your time frame isn't included in the active log.

Hope that helps.

ReplyQuote
Posted : 28/04/2014 11:35 pm
Cults14
(@cults14)
Active Member

You should find indicators of flash drive connections and disconnections in the Microsoft-Windows-DriverFrameworks-UserMode/Operational event log on a Windows 7 system (assuming this logging is not disabled). ………….
Hope that helps.

Yes just looked at that yesterday afternoon and this morning, and did some tests on one branded flash drive where I compared actions with logged events and am reasonably happy that Event IDs 2010 and 2102 provide indicators of successful connection and disconnection (Safely Remove, Unplug, and Shutdown) respectively. Will look at the links you provided thanks

Is there a similar log for USB HDs? I've done some searching and while this link suggests there is, I don't find what the proposer suggests

FYI I seldom get my hands on actual external devices, I am often asked to provide an opinion (based on a Windows system or image thereof) about whether and when external storage devices were connected and if possible what they were used for. I'm OK for LNK, MRU Lists (file and application) and JumpLists; and generally am OK with the kind of info that TZWorks, Woan software and others haveprovided parsers for; still struggling to come to terms with ShellBags though as Harlan and others know (

Cheers

ReplyQuote
Posted : 29/04/2014 5:16 pm
keydet89
(@keydet89)
Community Legend

Using Rob Lee's guide to profiling Windows 7 USB Keys/Thumbdrives, in order to determine the last connected time of a device step 9 states (as one option) to record the date/time of registry key SYSTEM\CurrentControlSet\Enum\USB\VID_XXXX&PID_YYYY

I found this
https://blogs.sans.org/computer-forensics/files/2009/08/usb_device_forensics_vista_win7_guide.pdf

Note that it has only 7 steps.

On a Win7 Enterprise SP1 system I'm examining, there are many keys under SYSTEM\CurrentControlSet\Enum\USB, starting with
SYSTEM\ControlSet001\Enum\USB\VID_0000&PID_0000\6&3189bb0f&0&2 and ending with SYSTEM\ControlSet001\Enum\USB\VID_8644&PID_8003\0351400000002218

There are some 35 devices listed under SYSTEM\CurrentControlSet\Enum\USBStor, all of which have corresponding entries in SYSTEM\CurrentControlSet\Enum\USB\

Thing is, all but four of the entries in SYSTEM\CurrentControlSet\Enum\USB\ are dated Mar 5th 2014 @ 194941 - the other four are all dated 7th Mar 2014 although not all with the same time

Can anyone point me in the right to direction to understand how these keys all get the same last write time?

This is actually a pretty common occurrence. I saw that someone suggested looking for an update, and I saw your responses. I would suggest that rather than looking just in the Windows Event Logs, craft a full timeline (include EVTX records AND file system metadata), and I think you'll likely see file creations/modifications.

For the last connected times, did you look at the subkeys under the DeviceClasses keys, and get the LastWrite times?

Also, something I've found to be very fruitful is to create that full timeline; in one particular instance, I had a piece of malware on a system, and was being told that everyone who'd seen that on systems before had found it to be the result of spear phishing…I found that on the system I was looking at, the user had connected a thumb drive and installed the malware from that device.

ReplyQuote
Posted : 29/04/2014 5:31 pm
Cults14
(@cults14)
Active Member

I found this
https://blogs.sans.org/computer-forensics/files/2009/08/usb_device_forensics_vista_win7_guide.pdf

Note that it has only 7 steps.

Bearing in mind internal metadata and also the URLs of those two documents (one refers to Aug 09, the other to Sep 09), which one would you suggest a relative rookie could/should use as a template?

This is actually a pretty common occurrence. I saw that someone suggested looking for an update, and I saw your responses. I would suggest that rather than looking just in the Windows Event Logs, craft a full timeline (include EVTX records AND file system metadata), and I think you'll likely see file creations/modifications.

For the last connected times, did you look at the subkeys under the DeviceClasses keys, and get the LastWrite times?

Yes am aware of the DeviceClasses keys and relevance, was just wondering what caused the simultaneous timestamps I referred to earlier.

Maybe I've misunderstood your response about file system metadata. I have the metadata I need for JumpLists et al, if you mean metadata from what in XP would have been Windows Update logs (filename starting KB, exact location I can't recall and don't have accesss to an XP system at the moment) - I haven't found equivalents of these in Win7 and would be happy to receive any assistance )

Some of this is a diversion from my original challenge (identify external media used and any files accessed on it), as the DeviceClasses keys provide an alternative option and EMDMGNT thankfully provides a link to the Volume Serial Numbers which various parsers pull from JumpLists and LNKs. Job is done, I just wanted to understand the concurrent timestamps in USB and also now would like to know the location of any Windows updates support files which relate to the WindowsUpdateClient details in System log.

Cheers

ReplyQuote
Posted : 29/04/2014 9:05 pm
Share: