3. What you need to know before
you start
As with any forensic investigation; you
really need to know what you are looking
for!
◦ What is the scenario?
◦ Are you looking to prove/disprove something?
◦ Do you have any details around the USB device?
◦ What is the end goal?
◦ Proof that IP was stolen?
◦ Illegal content of the device?
◦ Exploratory ?
◦ Additional details?
◦ Computer name?
◦ Time-zone?
◦ User level?
◦ Time since last rebuild?
◦ Any other relevant details about the user?
4. Scenario
•Scrooges Crutches Ltd want us to look into Timmy
Cratchet
•A USB stick belonging to Timmy was discovered and
has Intellectual Property on it
•Scrooge only uses authorised USB devices
•Timmy’s machine should only have one USB storage
device used
5.
6. Identifying the Device Serial
Number in the USBSTOR
The USBSTOR key contains all of the USB Storage Devices
registered on the machine.
• Located within the SYSTEM hive
– SYSTEMCurrentControlSetEnumUSBSTOR
• Each Key may contain more than one device
– The sub-keys contain the Serial Number of that device
– All Serial numbers end with either &0 or &1
– Serial numbers where the second character is a & are
serial number issued by Windows and unique to this
machine only
8. VID & PID
The Vendor ID and Product ID can be
used to help identify the USB device
◦ Located in the following key
◦ SYSTEMCurrentControlSetEnumUSB
◦ The final &0 is removed from the key
◦ The VID & PID can now be used to
identify the device
◦ www.linux-usb.org/usb.ids
◦ The last write time of this Key will show
the first time that device was plugged in
150905003932A302&0
92B0564A&0
39210000447F59BD0002DA9ADF2159BD&0
2GE4D91T&0
13. Volume Serial Number
• The Volume Serial Number information is stored in the following key
◦ SOFTWAREMicrosoftWindows NTCurrentVersionEMDMgmt
◦ This key was originally designed for use with ReadyBoost (Vista +)
◦ Machines deemed too fast for ReadyBoost will not have any data in this key
◦ Usually if an SSD drive is installed
◦ ReadyBoost also enable SuperPreFetch and Auto Defrag which significantly reduce the lifespan of an
SSD
◦ As such if an SSD is present on a Windows 7 system ReadyBoost is disabled
◦ A Windows 8 System will test the performance first
14. Volume Serial Number (2)
• If the machine has ready boost enabled the following artefacts will be present:
◦ Use the Serial Number in the Key name to identify the correct device
◦ The last section of the key will show the Volume ID in Base10
◦ The Volume ID needs to be in Hex
◦ The Volume Serial Number is changed each time the device is formatted
◦ How do you know if the device has been formatted?
◦ There will be a duplicate key with a different Volume Number (and possibly Volume Name)
16. Determining the Last Drive
Letter
◦ The last drive letter is held under the following Key
◦ SYSTEMMounted Devices
◦ Each drive letter will be listed in this key
◦ The Data for the drive letter will have an ASCII description of the device
◦ As well as a GUID, which relates back to the EMDMgmt Key
17. Determining the Last Drive
Letter
◦ The last drive letter is held under the following Key
◦ SYSTEMMounted Devices
◦ Each drive letter will be listed in this key
◦ The Data for the drive letter will have an ASCII description of the device
◦ As well as a GUID, which relates back to the EMDMgmt Key
18. VID 1E3D PID 2093
150905003932A302&0
92A7-D861
TIMMYSSTICK
Disk&Ven_CHIPSBNK&Prod_v3.3.9.6&Rev_5.00
b5c6ea66-6779-11e4-824e-000c29f9767d E:
27th Oct 2014 @ 10:37 UTC
19. Which user account accessed
the USB device?
◦ Each user has a local registry file called NTUser.dat
◦ The key used for identifying USB Devices is
◦ NTUser.datSoftwareMicrosoftWindowsCurrentVersionExplorerMountpoints2{GUID}
◦ The existence of this GUID within the user’s NTUser.dat proves that the USB
device was plugged in while this user was logged on.
20. VID 1E3D PID 2093
150905003932A302&0
92A7-D861
TIMMYSSTICK
Disk&Ven_CHIPSBNK&Prod_v3.3.9.6&Rev_5.00
b5c6ea66-6779-11e4-824e-000c29f9767d E:
27th Oct 2014 @ 10:37 UTC
21. First/Last time plugged in?
◦ When a new device is installed onto the system a log file is appended to
◦ Setupapi.dev.log
◦ Setupapi.log (Windows XP)
◦ The setupapi.dev.log file is located in %WINDIR%inf
22. VID 1E3D PID 2093
92A7-D861
TIMMYSSTICK
Disk&Ven_CHIPSBNK&Prod_v3.3.9.6&Rev_5.00
b5c6ea66-6779-11e4-824e-000c29f9767d E:
27th Oct 2014 @ 10:37 UTC
27th Oct 2014 @ 09:09 GMT
150905003932A302&0
23. Summary Report
A USB Device, a Chipsbank Microelectonics CBM209x, with a serial number
150905003932A302 was plugged at 27th Oct 2014 @ 09:09 GMT for approximately
90 minutes; it was last seen at 27th Oct 2014 @ 10:37 UTC. The device had a
Volume Name or ‘label’ of TIMMYSSTICK, it is almost certain that the drive letter
used was E: and user TIMMY was the only account to have encountered this device.
It is recommended a timeline is created of the machine for those 90 minutes to
determine what data, if any, was copied or moved to the device.
As a consultant I can do this for you…..
…..let’s talk day rates