Join Us!

Pitfalls of Interpr...
 
Notifications
Clear all

Pitfalls of Interpreting Forensic Artifacts in the Registry  

Page 3 / 4
  RSS
pavel_gladyshev
(@pavel_gladyshev)
New Member

jaclaz,

I think I misunderstood initially what you meant by "normally". I think you meant "deterministic", in which case the crux of your criticism - if I understand it correctly - is this undetectable faults are rare, and their impact on forensics is negligible, and therefore thinking about it is essentially a waste of time.

My point is that hardware faults do happen. I am sure that you witnessed or at least heard of HDDs failing during evidence collection. In my experience hardware faults are not always easy to detect. Back in 2001 I developed a flash file system for a voice mail module of a mini-PABX by Lake Communicaitons Ltd. About 6 months after the product launch, customers started to complain about peculiar sounds in some of the recordings that looked like a bug in GSM voice compression algorithm. We checked our software and after three days the problem was traced to the use of a bad batch of flash memory chips that could not stand +40C inside the enclosure and added single bit errors to the data. The stored data looked pretty random (a bunch of coefficients), and we were unable to spot the problem by just looking at the hex dump of the data.

I am not saying that we need to predict the unpredictable - I do not think it is possible. I am saying that we should at least consider the impact of faults on our conclusions and not simply dismiss them as a superstition. Maybe all we need is better consistency checks? Maybe not.

My two pence.

Pavel

ReplyQuote
Posted : 05/11/2012 3:22 pm
jaclaz
(@jaclaz)
Community Legend

I guess that there is still some misunderstanding going on.
If you open NOTEPAD, give focus to it and press the "5" key (I love pressing key "5" wink ) on your Num Keypad with NumLock on , in the NOTEPAD window a digit 5 will appear.
You can try all the times that you want, "normally" this will happen.
If NumLock is off, nothing will appear in the NOTEPAD window.
You can try all the times that you want, "normally" this will happen.

If your baby just spewed some liquid on the keyboard, it is "possible" that when you press "5" either "6" or "#" or "@" or "*whatever*" will appear instead of "5".

If your dog chewed a bit on the keyboard cable , it is "possible" that when you press "5" either "6" or "#" or "@" or "*whatever*" will appear instead of "5".

If you have a wireless radio keyboard it is possible that your neighbour opening with his remote his garage door makes "&" appear on the NOTEPAD or the Bandit (from Smokey and the Bandit ) is passing in front of your house at 120 Mph with a completely untuned but very powerful CB radio,

If the (Chinese) manufacturer of the keyboard cleaned not well enough the keybard pads, it is "possible" that when you press the "5" key a "9" will appear on NOTEPAD.

If the designer of the keyboard chip designed it poorly, he/might have implemented a buffer that added 1 every 20K keypresses, only if the 20001th key press was a number, and you might get "6" on the NOTEPAD (when the chip overheats).

If a software manufacturer installs a "deviated" keyboard driver, "globally" (i.e. system wide" or "application specific", *anything* may happen.
As an example Office Excel Italian re-maps the "." (dot) key on Num Keypad to "," (comma) as comma is the stadard decimal separator in Italian).

Now, if you find a .txt with just a "5" in it "normally" it means that the user pressed the "5" key.
If you prefer, it is more likely that if a "5" is found it is the consequence of a press of key "5", and not the result of a dice roll (which actually gives 4 instead wink )

thus, in practice (and IMHO), it is better to understand fully the "repeatable" consequences of pressing "5" and the actions that can have "normally" produced the "5" than spending time theorizing all the possible (infinite) ways the "5" could have come out EXCLUDING the press of the "5" key, and in the specific

With the regard to the apparent inconsistencies that I observed, it goes without saying that the data was always there. I think they just became easier for me to identify by automating the correlation of the data sets and observing them over time.

The behaviours observed were there, have always been there, will always be there, they are "normally" there, only they were NOT noticed before.

jaclaz

ReplyQuote
Posted : 05/11/2012 4:05 pm
pavel_gladyshev
(@pavel_gladyshev)
New Member

jaclaz,

thus, in practice (and IMHO), it is better to understand fully the "repeatable" consequences of pressing "5" and the actions that can have "normally" produced the "5" than spending time theorizing all the possible (infinite) ways the "5" could have come out EXCLUDING the press of the "5" key

Your point is crystal clear, but it does not really refute what I said in my previous post. I think we will just have to agree to disagree on it. -)

Thank you for taking the time to read my posts. I really enjoyed this little debate.

Pavel

ReplyQuote
Posted : 05/11/2012 4:15 pm
jaclaz
(@jaclaz)
Community Legend

Your point is crystal clear, but it does not really refute what I said in my previous post. I think we will just have to agree to disagree on it. -)

Thank you for taking the time to read my posts. I really enjoyed this little debate.

You are very welcome. )
But it wasn't meant to refute what you said, only to point out how IMHO it didn't specifically apply to the good work by Jacky.
Be aware of the RISK of "doctors agreeing" wink
http//reboot.pro/13601/page__st__75#entry119524

jaclaz

ReplyQuote
Posted : 05/11/2012 5:29 pm
jwyeager
(@jwyeager)
New Member

Jacky,

Can you please contact me at [email protected] ? thanks

ReplyQuote
Posted : 12/11/2012 10:58 pm
KPryor
(@kpryor)
Member

I finally got time to watch the video and am quite impressed. Very interesting and educational. Thank you for sharing your research and knowledge.

Ken

ReplyQuote
Posted : 13/11/2012 11:26 am
keydet89
(@keydet89)
Community Legend

Out of interest in the hives you have is a serial number recorded anywhere or do you believe that a USB storage device was installed without a serial number being registered? If they are sample hives rather than a users actual hives I would love look at them.

The hives in question are from my own system…I've connected several devices to it…specifically, a digital camera and my iTouch…that do not show up under the USBStor key. They do have serial numbers, so it's not a matter of whether or not a serial number was registered.

I think that questions raised by your dissertation can be addressed by taking another look at the process for not only determining devices that were connected to the system, but also for determining which user had access to those devices.

ReplyQuote
Posted : 13/11/2012 5:44 pm
JackyFox
(@jackyfox)
New Member

Thanks for coming back on my question. I can't comment on the digital camera as I don't know enough about it and probably wouldn't have that model here anyway. However I do have several ipods, both iOS and non iOS. It is my experience that the non iOS ipods have an option to "enable disk use" so that you can mount them and store files on them. These devices when disk enabled, do show up in USBstor. The iOS ipods & iphones I have don't give this option and don't show up as a storage device or mount as an explorer volume, hence no entry in USBstor. I know that there are utilities around that will let you mount iOS devices, to date I haven't tested them but I think in order for explorer to see them they would probably need to mount in the conventional way and would have an entry in USBstor.

I suppose where I'm going with this is, if I connect a USB keyboard or headset I'll get an entry in Enum\USB. However if I attempt to mount a device for storage via Windows explorer, I would expect an entry in USBstor. Out of interest did you attempt to download/upload a file to your ipod touch without using itunes? That would be really interesting if you have done that without mounting the drive? I think I have seen something about using itunes file sharing to sync data that was made to look as if it was from specific apps, tracking this would have been outside the scope of my research though.

ReplyQuote
Posted : 14/11/2012 3:11 am
jaclaz
(@jaclaz)
Community Legend

Cannot say if useful, but there are at least two "ways" a USB "camera" or "music player" device can be connected to a Windows NT family OS.

One is the known "Mass Storage Device" or MSC - mass storage class, in which the device behaves exactly as if it was a USB stick or Hard disk - the other one is MTP - Media Transfer Protocol or PTP - Picture Transfer Protocol
http//en.wikipedia.org/wiki/Media_Transfer_Protocol
http//en.wikipedia.org/wiki/Picture_Transfer_Protocol

Of course USBstor is only connected to MSC connected devices.

jaclaz

ReplyQuote
Posted : 14/11/2012 3:18 pm
JackyFox
(@jackyfox)
New Member

Hi Jaclaz,

Thanks for that.

Do you know if any MTP device registry parsers exist? It would be interesting to pull all the MTP pieces from the registry and correlate them. I think there is data in Windows Portable devices along with Enum\USB on MTP devices and I'm sure other areas and device specific logs too. Still that's a whole other day's work……

ReplyQuote
Posted : 15/11/2012 12:28 am
jaclaz
(@jaclaz)
Community Legend

Hi Jaclaz,

Thanks for that.

Do you know if any MTP device registry parsers exist? It would be interesting to pull all the MTP pieces from the registry and correlate them. I think there is data in Windows Portable devices along with Enum\USB on MTP devices and I'm sure other areas and device specific logs too. Still that's a whole other day's work……

I guess you (I, we) opened a can of worms 😯 .
There are different settings (seemingly) in XP, Vista and 7 (and let's for the moment keep 8 aside) and in different versions of WMP, see
http//msdn.microsoft.com/en-us/library/windows/hardware/ff597687(v=vs.85).aspx
http//forum.xda-developers.com/showthread.php?t=1291293
and I guess that the same differences may be reflected in the Registry…

This is also something that may have some relevance
http//www.symantec.com/connect/forums/block-confidential-data-mobile-device-androidblackberryiphone#comment-7940181

This is "historical", but could also be of interest
http//www.directionsonmicrosoft.com/sample/DOMIS/update/2004/10oct/1004mpumsf_sb.htm

It seems like in windows 7 the good MS guys have somehow "expanded" the protocol, with their "Device Experience" so it is possible that there is an additional set of data coming from a "responder" (if the peripheral/device also runs 7 in the "compact" version), see
http//blogs.windows.com/windows/archive/b/windows7/archive/2009/09/01/the-device-experience-in-windows-7-updated.aspx
(though the images seem like being not anymore accessible, as well for the "main" page that now redirects to the "new, improved" Windows 8 Device experience)

http//msdn.microsoft.com/en-us/library/gg156287.aspx
http//msdn.microsoft.com/en-us/windows/hardware/gg463545.aspx

The specifications for MTP are seemingly public (or at least linked publicly from the MS site above)
http//www.usb.org/developers/devclass_docs/MTP_1.0.zip

It also seems how the protocol (or whatever) is very likely to get damaged, using improper "Upper Filters" possibly by Windows Update itself, see
http//answers.microsoft.com/en-us/windows/forum/windows_7-hardware/getting-mtp-usb-device-failed-when-trying-to/232a42b4-b51c-47fe-962a-b390b8cde315?
https://discussions.apple.com/thread/3153566?start=0&tstart=0

I seem to find not (beside an actual parser) some good description/documentation about the whole set of registry keys affected by the connection of a (USB) MTP device and related drivers, it is like the whole Forensics community is ignoring this. ?
I could only find this "passing by" reference on the whole forum
http//www.forensicfocus.com/Forums/viewtopic/t=9404/start=0/

It could be a good topic for a new research/thesis….

jaclaz

ReplyQuote
Posted : 15/11/2012 1:28 am
keydet89
(@keydet89)
Community Legend

Do you know if any MTP device registry parsers exist?

What is an "MTP device registry"?

The first link that jaclaz pointed to was on a page beneath the WPD (Windows Portable Device) heading…there's a key for this in the Software hive.

From this link http//www.forensicfocus.com/Forums/viewtopic/t=9404/start=0/
Anyone have a "setup.dev.log" file on their system?

ReplyQuote
Posted : 15/11/2012 2:43 am
jaclaz
(@jaclaz)
Community Legend

The more I look into this, the more it seems to me a horror story. 😯

However someone 😉 has seemingly written a RegRipper plugin (to get at least drive letters)
http//windowsir.blogspot.it/2008/06/portable-devices-on-vista.html

Some more bits and pieces
http//www.blackviper.com/windows-services/portable-device-enumerator-service/
http//www.mobiletechworld.com/2010/11/18/use-your-windows-phone-7-device-as-a-portable-usb-drive/
http//support.creative.com/kb/ShowArticle.aspx?sid=83635
http//www.irongeek.com/i.php?page=security/locking-down-windows-vista-and-windows-7-against-malicious-usb-devices

This might also be of use (maybe)
http//opensource.creative.com/mtp_enum.html

jaclaz

ReplyQuote
Posted : 15/11/2012 2:38 pm
keydet89
(@keydet89)
Community Legend

jaclaz,

So you're saying that this MTP stuff you're talking about is synonymous with the Windows Portable Devices?

ReplyQuote
Posted : 15/11/2012 5:21 pm
jaclaz
(@jaclaz)
Community Legend

jaclaz,

So you're saying that this MTP stuff you're talking about is synonymous with the Windows Portable Devices?

Yep. Though as said it seems like there are differences between XP, Vista and 7 (and 8).

Cannot say how neat it could be a plain MTP=WPD though.

The same device may be seen as Windows Portable Device and accessed through MTP/PTP or seen as Mass Storage and accessed through MSC, I posted the link to Creative site
http//support.creative.com/kb/ShowArticle.aspx?sid=83635
that seems to imply this.

If I get it right any device using MTP is part of WPD, but not all WPD devices use MTP (they could be a camera or whatever and use PTP instead).

Also I seem to understand that at least on 7 or 8 "normal" USB sticks are seen in Explorer as "Portable Device", and as well MTP devices, with a simple Registry Edit, can
http//www.ehow.com/how_6759114_access-zune-explorer.html
Particularly this
http//blogs.technet.com/b/juanand/archive/2010/12/10/playing-with-windows-phone-7-as-usb-storage.aspx
seems like a set of nice xperiments

Also
http//msdn.microsoft.com/en-us/library/windows/apps/windows.devices.portable

jaclaz

ReplyQuote
Posted : 15/11/2012 6:41 pm
Page 3 / 4
Share: