Join Us!

Pitfalls of Interpr...
 
Notifications
Clear all

Pitfalls of Interpreting Forensic Artifacts in the Registry  

Page 4 / 4
  RSS
JackyFox
(@jackyfox)
New Member

I wish I had the time to do some experiments with this at the moment. I think it would make a really good study to take some hives/logs from "fresh" installs and then connect up a range of MTP devices, attempt to transfer data by various means and see what traces are recorded.

ReplyQuote
Posted : 16/11/2012 2:38 am
keydet89
(@keydet89)
Community Legend

…connect up a range of MTP devices…

What, exactly, is an MTP device?

ReplyQuote
Posted : 16/11/2012 4:10 am
hmorgan
(@hmorgan)
Active Member

…connect up a range of MTP devices…

What, exactly, is an MTP device?

http//en.wikipedia.org/wiki/Media_Transfer_Protocol

ReplyQuote
Posted : 16/11/2012 2:15 pm
JackyFox
(@jackyfox)
New Member

What, exactly, is an MTP device?

jaclaz has pointed at some good reference material for this above.

For whta it is worth this is my understanding of it and why it's important. Media Transfer Protocol or Picture Transfer Protocol tends to be used in preference to MSC when digital rights management is an issue. When a USB device's primary function is to hold/synchronise data that may be subject to DRM, device manufacturers often select these protocols. They are more restrictive for data transfer and typically operate with proprietary software to allow synchronization or up/downloads of files. From what I understand iOS, some Android devices and several camera manufacturers use MTP/PTP. I am using the phrase MTP device to describe a device that transfers data primarily over MTP.

I think this area appears to require further research for example to track the traces left by these type of devices and possibly correlate any registry artefacts with logs. Questions like “are the files tracked by signature or just name type?” come to my mind. I think you will understand where I’m going with this.

ReplyQuote
Posted : 16/11/2012 6:08 pm
keydet89
(@keydet89)
Community Legend

I think you will understand where I’m going with this.

Not at all.

The references provided don't really help me understand, if I'm looking at a number of devices sitting on a table next to a Windows 7 laptop, which of those devices is, or might be, an MTP device. I agree that more testing is needed…but I'm a bit unclear as to how I could go about doing that testing.

Also, I see that your original question about Registry locations hasn't been addressed…

ReplyQuote
Posted : 16/11/2012 6:34 pm
jaclaz
(@jaclaz)
Community Legend

The references provided don't really help me understand, if I'm looking at a number of devices sitting on a table next to a Windows 7 laptop, which of those devices is, or might be, an MTP device.

Maybe if you connect them to the windows 7 laptop instead of leaving them sitting near to it might help. wink

Seriously now, this link (already provided)
http//support.creative.com/kb/ShowArticle.aspx?sid=83635
Contains this text

Media Transfer Protocol (MTP) is a protocol and accompanying set of drivers developed by Microsoft to connect portable devices to a Windows XP PC and synchronize digital media content between those devices and the PC.

Mass Storage Class (MSC) is a set of computing communications protocols that run on the Universal Serial Bus. All Creative MSC players are flash based devices. Not all MTP players are harddisk based some are flash based.

In Windows Device Manager, MSC Players are detected as USB Mass Storage Device while MTP players are detected as Portable Device.

an image titled "Detection of MSC"

and one titled "Detection of MTP"

that I thought were illustrative enough.

While I am rather familiar with "MSC devices" (USB hard disks or sticks, etc.) I am completely NOT familiar with MTP devices that seem like being mainly

  • digital cameras
  • cellular phones or smartphones
  • MP3 or MP4 players and the like

(I actually seem to remember having had one such digital camera that came with such a bloated set of drivers/interface utility - and that was NOT accessible as USB mass storage device - that I quickly gave it away, buying instead another one that showed as "Mass Storage Device" - really cannot remember model/make of that one)

The same Creative link states that some of the devices (evidently MSC "by default") can be "upgraded to MTP", which seems to imply that you could have two identical devices next to your windows 7 laptop and one of them could be set as MSC and the other one "upgraded" to MTP.

jaclaz

ReplyQuote
Posted : 16/11/2012 10:55 pm
JackyFox
(@jackyfox)
New Member

but I'm a bit unclear as to how I could go about doing that testing.

I really wish I had the time to research this but unfortunately I don't at the moment. Maybe it would help if I told you how I think I would approach it?

I would try to devise a set of experiments, something along the lines of what I did with the USB MSC tests.

- Set up several fresh systems, different operating systems.
- Make a multi-partitioned USB boot device for collecting registry snapshots (detailed in my dissertation).
- Go through a step by step process of performing actions that I want to analyse and taking snapshots.

In this case I would probably take a snapshot => install an MTP/PTP device => snaphot => remove device => snapshot => reinstall device => snapshot => run whatever software is used to sync or up/download files => snapshot => possibly try and transfer files via another route => snapshot

I would then use some control systems and do the same with MSC devices.

Once I had all my snapshots I would then analyse what artefacts I could identify/correlate that report MTP/PTP activity (I detail how I went about this for USB MSC activity in my dissertation). I would also see if I could find a single or combination of keys that would identify that MTP/PTP activity had occurred on a system and do some analysis of log activity on the system.

Armed with that information I think I would have a better idea what to look for and would use more fresh systems to do some complete image snapshots and look at the traces in that.

I hope this helps, I know it sounds like a lot of work and I'm sure the scope would grow as you progressed but I'm not sure that there are too many shortcuts.

ReplyQuote
Posted : 17/11/2012 8:57 pm
keydet89
(@keydet89)
Community Legend

Maybe if you connect them to the windows 7 laptop instead of leaving them sitting near to it might help. wink

I would…if I knew what they were.

…that I thought were illustrative enough.

When I asked which devices these were, this was similar to Jacky's question regarding Registry keys. Pointing to processes or code for detecting such devices doesn't really address either question.

I am completely NOT familiar with MTP devices that seem like being mainly

  • digital cameras
  • cellular phones or smartphones
  • MP3 or MP4 players and the like

Well, as I mentioned…I have seen what these "look like" on a system.

The same Creative link states that some of the devices (evidently MSC "by default") can be "upgraded to MTP", which seems to imply that you could have two identical devices next to your windows 7 laptop and one of them could be set as MSC and the other one "upgraded" to MTP.

And I think that the point that some of us have been trying to get to is that the "usual process" for detecting which MSC devices have been connected to a Windows system, after that system has been imaged/acquired, may be insufficient to fully detect MTP devices.

ReplyQuote
Posted : 18/11/2012 5:13 pm
keydet89
(@keydet89)
Community Legend

Going back to the more general title of the thread and dissertation, I see this is a very significant issue, and I think that it's great that Jacky brought it up. I know that too many times, I've seen reports where the existence of a file or folder path in the Registry is completely misinterpreted, largely because the analyst (as well as the senior analyst or supervisor reviewing their work) doesn't understand the nature and context of that artifact…what created or modified it, etc.

IMHO, Jacky's dissertation does a good job of pointing out that the widely accepted assumptions may not be entirely accurate. One of the pitfalls we face when analyzing computer-based data is that very often, we (as analysts) know too little about what actions or interactions had an effect on the artifact(s) in question. We can do testing based on hypotheses and replicate what we "see" in the data, but does that mean that this is the sum total set of actions that could have an impact or effect on that artifact? Not hardly.

ReplyQuote
Posted : 18/11/2012 6:30 pm
Page 4 / 4
Share: