SlideShare a Scribd company logo

Usb forensics BSides London 2015

Download as PPTX, PDF
R
Russ Taylor

Usb forensics BSides London 2015 Presented on the Lightning track

Technology
1 of 25
Investigating USB Devices On Windows 7 & 8 BSIDES LONDON 2015
Whoami?
What you need to know before you start As with any forensic investigation; you really need to know what you are looking for! ◦ What is the scenario? ◦ Are you looking to prove/disprove something? ◦ Do you have any details around the USB device? ◦ What is the end goal? ◦ Proof that IP was stolen? ◦ Illegal content of the device? ◦ Exploratory ? ◦ Additional details? ◦ Computer name? ◦ Time-zone? ◦ User level? ◦ Time since last rebuild? ◦ Any other relevant details about the user?
Scenario •Scrooges Crutches Ltd want us to look into Timmy Cratchet •A USB stick belonging to Timmy was discovered and has Intellectual Property on it •Scrooge only uses authorised USB devices •Timmy’s machine should only have one USB storage device used
Identifying the Device Serial Number in the USBSTOR The USBSTOR key contains all of the USB Storage Devices registered on the machine. • Located within the SYSTEM hive – SYSTEMCurrentControlSetEnumUSBSTOR • Each Key may contain more than one device – The sub-keys contain the Serial Number of that device – All Serial numbers end with either &0 or &1 – Serial numbers where the second character is a & are serial number issued by Windows and unique to this machine only
150905003932A302&0 92B0564A&0 39210000447F59BD0002DA9ADF2159BD&0 2GE4D91T&0 Disk&Ven_CHIPSBNK&Prod_v3.3.9.6&Rev_5.00 Disk&Ven_Generic&Prod_Flash_Disk&Rev_8.07 Disk&Ven_Samsung&Prod_U5&Rev_0100 Disk&Ven_Seagate&Prod_FreeAgent_Go&Rev_0142
VID & PID The Vendor ID and Product ID can be used to help identify the USB device ◦ Located in the following key ◦ SYSTEMCurrentControlSetEnumUSB ◦ The final &0 is removed from the key ◦ The VID & PID can now be used to identify the device ◦ www.linux-usb.org/usb.ids ◦ The last write time of this Key will show the first time that device was plugged in 150905003932A302&0 92B0564A&0 39210000447F59BD0002DA9ADF2159BD&0 2GE4D91T&0
Identifying the Device http://www.linux-usb.org/usb.ids
150905003932A302&0 Disk&Ven_CHIPSBNK&Prod_v3.3.9.6&Rev_5.00 VID 1E3D PID 2093 27th Oct 2014 @ 10:37 UTC
Volume Name The Volume Name USB Devices are contained within the following Key: ◦ SOFTWAREMicrosoftWindows Portable DevicesDevices 06 June 2015 11
150905003932A302&0 Disk&Ven_CHIPSBNK&Prod_v3.3.9.6&Rev_5.00 VID 1E3D PID 2093 TIMMYSSTICK 27th Oct 2014 @ 10:37 UTC
Volume Serial Number • The Volume Serial Number information is stored in the following key ◦ SOFTWAREMicrosoftWindows NTCurrentVersionEMDMgmt ◦ This key was originally designed for use with ReadyBoost (Vista +) ◦ Machines deemed too fast for ReadyBoost will not have any data in this key ◦ Usually if an SSD drive is installed ◦ ReadyBoost also enable SuperPreFetch and Auto Defrag which significantly reduce the lifespan of an SSD ◦ As such if an SSD is present on a Windows 7 system ReadyBoost is disabled ◦ A Windows 8 System will test the performance first
Volume Serial Number (2) • If the machine has ready boost enabled the following artefacts will be present: ◦ Use the Serial Number in the Key name to identify the correct device ◦ The last section of the key will show the Volume ID in Base10 ◦ The Volume ID needs to be in Hex ◦ The Volume Serial Number is changed each time the device is formatted ◦ How do you know if the device has been formatted? ◦ There will be a duplicate key with a different Volume Number (and possibly Volume Name)
Disk&Ven_CHIPSBNK&Prod_v3.3.9.6&Rev_5.00 VID 1E3D PID 2093 150905003932A302&0 92A7-D861 TIMMYSSTICK 27th Oct 2014 @ 10:37 UTC
Determining the Last Drive Letter ◦ The last drive letter is held under the following Key ◦ SYSTEMMounted Devices ◦ Each drive letter will be listed in this key ◦ The Data for the drive letter will have an ASCII description of the device ◦ As well as a GUID, which relates back to the EMDMgmt Key
Determining the Last Drive Letter ◦ The last drive letter is held under the following Key ◦ SYSTEMMounted Devices ◦ Each drive letter will be listed in this key ◦ The Data for the drive letter will have an ASCII description of the device ◦ As well as a GUID, which relates back to the EMDMgmt Key
VID 1E3D PID 2093 150905003932A302&0 92A7-D861 TIMMYSSTICK Disk&Ven_CHIPSBNK&Prod_v3.3.9.6&Rev_5.00 b5c6ea66-6779-11e4-824e-000c29f9767d E: 27th Oct 2014 @ 10:37 UTC
Which user account accessed the USB device? ◦ Each user has a local registry file called NTUser.dat ◦ The key used for identifying USB Devices is ◦ NTUser.datSoftwareMicrosoftWindowsCurrentVersionExplorerMountpoints2{GUID} ◦ The existence of this GUID within the user’s NTUser.dat proves that the USB device was plugged in while this user was logged on.
VID 1E3D PID 2093 150905003932A302&0 92A7-D861 TIMMYSSTICK Disk&Ven_CHIPSBNK&Prod_v3.3.9.6&Rev_5.00 b5c6ea66-6779-11e4-824e-000c29f9767d E: 27th Oct 2014 @ 10:37 UTC
First/Last time plugged in? ◦ When a new device is installed onto the system a log file is appended to ◦ Setupapi.dev.log ◦ Setupapi.log (Windows XP) ◦ The setupapi.dev.log file is located in %WINDIR%inf
VID 1E3D PID 2093 92A7-D861 TIMMYSSTICK Disk&Ven_CHIPSBNK&Prod_v3.3.9.6&Rev_5.00 b5c6ea66-6779-11e4-824e-000c29f9767d E: 27th Oct 2014 @ 10:37 UTC 27th Oct 2014 @ 09:09 GMT 150905003932A302&0
Summary Report A USB Device, a Chipsbank Microelectonics CBM209x, with a serial number 150905003932A302 was plugged at 27th Oct 2014 @ 09:09 GMT for approximately 90 minutes; it was last seen at 27th Oct 2014 @ 10:37 UTC. The device had a Volume Name or ‘label’ of TIMMYSSTICK, it is almost certain that the drive letter used was E: and user TIMMY was the only account to have encountered this device. It is recommended a timeline is created of the machine for those 90 minutes to determine what data, if any, was copied or moved to the device. As a consultant I can do this for you….. …..let’s talk day rates
Questions? @Russ_Taylor_
References & Twitter My Blog ◦ www.HatsOffSecurity.com ◦ And Google Twitter ◦ @Russ_Taylor_

Recommended

SlingSecure USB Eng
SlingSecure USB EngSlingSecure USB Eng
SlingSecure USB EngSlingSecure Mobile Encryption
 
Diskashur Desktop Hard Disk Drive Datasheet
Diskashur Desktop Hard Disk Drive DatasheetDiskashur Desktop Hard Disk Drive Datasheet
Diskashur Desktop Hard Disk Drive DatasheetKingfin Enterprises Limited
 
Presentation TBS-453_ENG
Presentation TBS-453_ENGPresentation TBS-453_ENG
Presentation TBS-453_ENGFernando Barrientos
 
PRICE LIST PC DESKTOP -BERENDA
PRICE LIST PC DESKTOP -BERENDAPRICE LIST PC DESKTOP -BERENDA
PRICE LIST PC DESKTOP -BERENDAAndri Dwi Maulida
 
Industrial Touch Screen Panel PC with RFID / Wireless / Fanless
Industrial Touch Screen Panel PC with RFID / Wireless / FanlessIndustrial Touch Screen Panel PC with RFID / Wireless / Fanless
Industrial Touch Screen Panel PC with RFID / Wireless / Fanlessrobin smith
 
UDOO IoT Platform
UDOO IoT PlatformUDOO IoT Platform
UDOO IoT PlatformMaurizio Caporali
 
Hyper-BT 072214
Hyper-BT 072214Hyper-BT 072214
Hyper-BT 072214ICP America
 
Robinson PR step Complete Build
Robinson PR step Complete BuildRobinson PR step Complete Build
Robinson PR step Complete BuildWoodrow Robinson
 

Recommended

SlingSecure USB Eng
SlingSecure USB EngSlingSecure USB Eng
SlingSecure USB EngSlingSecure Mobile Encryption
 
Diskashur Desktop Hard Disk Drive Datasheet
Diskashur Desktop Hard Disk Drive DatasheetDiskashur Desktop Hard Disk Drive Datasheet
Diskashur Desktop Hard Disk Drive DatasheetKingfin Enterprises Limited
 
Presentation TBS-453_ENG
Presentation TBS-453_ENGPresentation TBS-453_ENG
Presentation TBS-453_ENGFernando Barrientos
 
PRICE LIST PC DESKTOP -BERENDA
PRICE LIST PC DESKTOP -BERENDAPRICE LIST PC DESKTOP -BERENDA
PRICE LIST PC DESKTOP -BERENDAAndri Dwi Maulida
 
Industrial Touch Screen Panel PC with RFID / Wireless / Fanless
Industrial Touch Screen Panel PC with RFID / Wireless / FanlessIndustrial Touch Screen Panel PC with RFID / Wireless / Fanless
Industrial Touch Screen Panel PC with RFID / Wireless / Fanlessrobin smith
 
UDOO IoT Platform
UDOO IoT PlatformUDOO IoT Platform
UDOO IoT PlatformMaurizio Caporali
 
Hyper-BT 072214
Hyper-BT 072214Hyper-BT 072214
Hyper-BT 072214ICP America
 
Robinson PR step Complete Build
Robinson PR step Complete BuildRobinson PR step Complete Build
Robinson PR step Complete BuildWoodrow Robinson
 
Robinson PR step 6
Robinson PR step 6Robinson PR step 6
Robinson PR step 6Woodrow Robinson
 
Annexure a
Annexure aAnnexure a
Annexure asimonrock72
 
10 inch Intel Atom N2600 Industrial Fanless Touch Screen Panel PC (EB-10PCN)
10 inch Intel Atom N2600 Industrial Fanless Touch Screen Panel PC (EB-10PCN)10 inch Intel Atom N2600 Industrial Fanless Touch Screen Panel PC (EB-10PCN)
10 inch Intel Atom N2600 Industrial Fanless Touch Screen Panel PC (EB-10PCN)robin smith
 
Thinkpad x390 Laptops Trần Phát
Thinkpad x390 Laptops Trần PhátThinkpad x390 Laptops Trần Phát
Thinkpad x390 Laptops Trần PhátLAPTOP TRẦN PHÁT
 
Plan de sesion_integrado_18_febrero_2011 -eng-
Plan de sesion_integrado_18_febrero_2011 -eng-Plan de sesion_integrado_18_febrero_2011 -eng-
Plan de sesion_integrado_18_febrero_2011 -eng-Alberto Vargas
 
ASUS ROG X299 Series motherboard
ASUS ROG X299 Series motherboardASUS ROG X299 Series motherboard
ASUS ROG X299 Series motherboardLow Hong Chuan
 
Presupuesto julio terminado convertido
Presupuesto julio terminado convertidoPresupuesto julio terminado convertido
Presupuesto julio terminado convertidoJuliomarquez46
 
All In One Pc
All In One PcAll In One Pc
All In One Pcguest3f6d3d
 
Cc
CcCc
Ccbjbb2
 
Prosesor intel dual core
Prosesor intel dual coreProsesor intel dual core
Prosesor intel dual coreiwanzhafran
 
1I386H
1I386H1I386H
1I386HCH Yeh
 
Kinect
KinectKinect
KinectKatie Powell
 
Dream Pc 2009
Dream Pc 2009Dream Pc 2009
Dream Pc 2009kyochi
 
P4i45 gv r5
P4i45 gv r5P4i45 gv r5
P4i45 gv r5rodanteg
 
Ha4125b en 2
Ha4125b en 2Ha4125b en 2
Ha4125b en 2Phúc An
 
The History of Computers
The History of ComputersThe History of Computers
The History of ComputersDuncan Lau
 
Thinkpad T580: Laptop 15 inch đáng sở hữu của Thinkpad
Thinkpad T580: Laptop 15 inch đáng sở hữu của ThinkpadThinkpad T580: Laptop 15 inch đáng sở hữu của Thinkpad
Thinkpad T580: Laptop 15 inch đáng sở hữu của ThinkpadLAPTOP TRẦN PHÁT
 
JS Fest 2018. Володимир Шиманський. Запуск двіжка JS на мікроконтролері
JS Fest 2018. Володимир Шиманський. Запуск двіжка JS на мікроконтролеріJS Fest 2018. Володимир Шиманський. Запуск двіжка JS на мікроконтролері
JS Fest 2018. Володимир Шиманський. Запуск двіжка JS на мікроконтролеріJSFestUA
 
Spec00461
Spec00461Spec00461
Spec00461guest2f67152
 
Aewin embedded cm5100 intel atom
Aewin embedded cm5100 intel atomAewin embedded cm5100 intel atom
Aewin embedded cm5100 intel atomSirena Cheng
 
Ducky USB - Indicators of Compromise (IOCs)
Ducky USB - Indicators of Compromise (IOCs)Ducky USB - Indicators of Compromise (IOCs)
Ducky USB - Indicators of Compromise (IOCs)Brent Muir
 
Udev
UdevUdev
UdevBarcamp Kerala
 

More Related Content

What's hot

10 inch Intel Atom N2600 Industrial Fanless Touch Screen Panel PC (EB-10PCN)
10 inch Intel Atom N2600 Industrial Fanless Touch Screen Panel PC (EB-10PCN)10 inch Intel Atom N2600 Industrial Fanless Touch Screen Panel PC (EB-10PCN)
10 inch Intel Atom N2600 Industrial Fanless Touch Screen Panel PC (EB-10PCN)robin smith
 
Thinkpad x390 Laptops Trần Phát
Thinkpad x390 Laptops Trần PhátThinkpad x390 Laptops Trần Phát
Thinkpad x390 Laptops Trần PhátLAPTOP TRẦN PHÁT
 
Plan de sesion_integrado_18_febrero_2011 -eng-
Plan de sesion_integrado_18_febrero_2011 -eng-Plan de sesion_integrado_18_febrero_2011 -eng-
Plan de sesion_integrado_18_febrero_2011 -eng-Alberto Vargas
 
ASUS ROG X299 Series motherboard
ASUS ROG X299 Series motherboardASUS ROG X299 Series motherboard
ASUS ROG X299 Series motherboardLow Hong Chuan
 
Presupuesto julio terminado convertido
Presupuesto julio terminado convertidoPresupuesto julio terminado convertido
Presupuesto julio terminado convertidoJuliomarquez46
 
Prosesor intel dual core
Prosesor intel dual coreProsesor intel dual core
Prosesor intel dual coreiwanzhafran
 
1I386H
1I386H1I386H
1I386HCH Yeh
 
Dream Pc 2009
Dream Pc 2009Dream Pc 2009
Dream Pc 2009kyochi
 
P4i45 gv r5
P4i45 gv r5P4i45 gv r5
P4i45 gv r5rodanteg
 
Ha4125b en 2
Ha4125b en 2Ha4125b en 2
Ha4125b en 2Phúc An
 
The History of Computers
The History of ComputersThe History of Computers
The History of ComputersDuncan Lau
 
Thinkpad T580: Laptop 15 inch đáng sở hữu của Thinkpad
Thinkpad T580: Laptop 15 inch đáng sở hữu của ThinkpadThinkpad T580: Laptop 15 inch đáng sở hữu của Thinkpad
Thinkpad T580: Laptop 15 inch đáng sở hữu của ThinkpadLAPTOP TRẦN PHÁT
 
JS Fest 2018. Володимир Шиманський. Запуск двіжка JS на мікроконтролері
JS Fest 2018. Володимир Шиманський. Запуск двіжка JS на мікроконтролеріJS Fest 2018. Володимир Шиманський. Запуск двіжка JS на мікроконтролері
JS Fest 2018. Володимир Шиманський. Запуск двіжка JS на мікроконтролеріJSFestUA
 
Aewin embedded cm5100 intel atom
Aewin embedded cm5100 intel atomAewin embedded cm5100 intel atom
Aewin embedded cm5100 intel atomSirena Cheng
 

What's hot (20)

Robinson PR step 6
Robinson PR step 6Robinson PR step 6
Robinson PR step 6
 
Annexure a
Annexure aAnnexure a
Annexure a
 
10 inch Intel Atom N2600 Industrial Fanless Touch Screen Panel PC (EB-10PCN)
10 inch Intel Atom N2600 Industrial Fanless Touch Screen Panel PC (EB-10PCN)10 inch Intel Atom N2600 Industrial Fanless Touch Screen Panel PC (EB-10PCN)
10 inch Intel Atom N2600 Industrial Fanless Touch Screen Panel PC (EB-10PCN)
 
Thinkpad x390 Laptops Trần Phát
Thinkpad x390 Laptops Trần PhátThinkpad x390 Laptops Trần Phát
Thinkpad x390 Laptops Trần Phát
 
Plan de sesion_integrado_18_febrero_2011 -eng-
Plan de sesion_integrado_18_febrero_2011 -eng-Plan de sesion_integrado_18_febrero_2011 -eng-
Plan de sesion_integrado_18_febrero_2011 -eng-
 
ASUS ROG X299 Series motherboard
ASUS ROG X299 Series motherboardASUS ROG X299 Series motherboard
ASUS ROG X299 Series motherboard
 
Presupuesto julio terminado convertido
Presupuesto julio terminado convertidoPresupuesto julio terminado convertido
Presupuesto julio terminado convertido
 
All In One Pc
All In One PcAll In One Pc
All In One Pc
 
Cc
CcCc
Cc
 
Prosesor intel dual core
Prosesor intel dual coreProsesor intel dual core
Prosesor intel dual core
 
1I386H
1I386H1I386H
1I386H
 
Kinect
KinectKinect
Kinect
 
Dream Pc 2009
Dream Pc 2009Dream Pc 2009
Dream Pc 2009
 
P4i45 gv r5
P4i45 gv r5P4i45 gv r5
P4i45 gv r5
 
Ha4125b en 2
Ha4125b en 2Ha4125b en 2
Ha4125b en 2
 
The History of Computers
The History of ComputersThe History of Computers
The History of Computers
 
Thinkpad T580: Laptop 15 inch đáng sở hữu của Thinkpad
Thinkpad T580: Laptop 15 inch đáng sở hữu của ThinkpadThinkpad T580: Laptop 15 inch đáng sở hữu của Thinkpad
Thinkpad T580: Laptop 15 inch đáng sở hữu của Thinkpad
 
JS Fest 2018. Володимир Шиманський. Запуск двіжка JS на мікроконтролері
JS Fest 2018. Володимир Шиманський. Запуск двіжка JS на мікроконтролеріJS Fest 2018. Володимир Шиманський. Запуск двіжка JS на мікроконтролері
JS Fest 2018. Володимир Шиманський. Запуск двіжка JS на мікроконтролері
 
Spec00461
Spec00461Spec00461
Spec00461
 
Aewin embedded cm5100 intel atom
Aewin embedded cm5100 intel atomAewin embedded cm5100 intel atom
Aewin embedded cm5100 intel atom
 

Similar to Usb forensics BSides London 2015

Ducky USB - Indicators of Compromise (IOCs)
Ducky USB - Indicators of Compromise (IOCs)Ducky USB - Indicators of Compromise (IOCs)
Ducky USB - Indicators of Compromise (IOCs)Brent Muir
 
2016_Integral_Encrypted_USB_SSD_Brochure_UK
2016_Integral_Encrypted_USB_SSD_Brochure_UK2016_Integral_Encrypted_USB_SSD_Brochure_UK
2016_Integral_Encrypted_USB_SSD_Brochure_UKmfoudi
 
Stuxnet mass weopan of cyber attack
Stuxnet mass weopan of cyber attackStuxnet mass weopan of cyber attack
Stuxnet mass weopan of cyber attackAjinkya Nikam
 
U-Boot presentation 2013
U-Boot presentation 2013U-Boot presentation 2013
U-Boot presentation 2013Wave Digitech
 
vac unitII.pptx
vac unitII.pptxvac unitII.pptx
vac unitII.pptxclassall
 
Starting Raspberry Pi
Starting Raspberry PiStarting Raspberry Pi
Starting Raspberry PiLloydMoore
 
Disecting the ultimate machine by Neeraj Bhandari ( Surkhet.Nepal )
Disecting the ultimate machine by Neeraj Bhandari ( Surkhet.Nepal )Disecting the ultimate machine by Neeraj Bhandari ( Surkhet.Nepal )
Disecting the ultimate machine by Neeraj Bhandari ( Surkhet.Nepal )Neeraj Bhandari
 
Lec post , bios , cmos
Lec post , bios , cmosLec post , bios , cmos
Lec post , bios , cmossamiradj
 
SanDisk SecureAccess Encryption 1.5
SanDisk SecureAccess Encryption 1.5SanDisk SecureAccess Encryption 1.5
SanDisk SecureAccess Encryption 1.5Brent Muir
 
Computer 10 Other Parts of the Internal System Unit
Computer 10 Other Parts of the Internal System UnitComputer 10 Other Parts of the Internal System Unit
Computer 10 Other Parts of the Internal System UnitJessaBejer1
 
SanDisk SecureAccess Encryption - Forensic Processing & USB Flashing
SanDisk SecureAccess Encryption - Forensic Processing & USB FlashingSanDisk SecureAccess Encryption - Forensic Processing & USB Flashing
SanDisk SecureAccess Encryption - Forensic Processing & USB FlashingBrent Muir
 
Dell Inspiron 5379 Chip i7 Mạnh Mẽ
Dell Inspiron 5379 Chip i7 Mạnh MẽDell Inspiron 5379 Chip i7 Mạnh Mẽ
Dell Inspiron 5379 Chip i7 Mạnh MẽLAPTOP TRẦN PHÁT
 

Similar to Usb forensics BSides London 2015 (20)

Ducky USB - Indicators of Compromise (IOCs)
Ducky USB - Indicators of Compromise (IOCs)Ducky USB - Indicators of Compromise (IOCs)
Ducky USB - Indicators of Compromise (IOCs)
 
Udev
UdevUdev
Udev
 
2016_Integral_Encrypted_USB_SSD_Brochure_UK
2016_Integral_Encrypted_USB_SSD_Brochure_UK2016_Integral_Encrypted_USB_SSD_Brochure_UK
2016_Integral_Encrypted_USB_SSD_Brochure_UK
 
11
1111
11
 
Stuxnet mass weopan of cyber attack
Stuxnet mass weopan of cyber attackStuxnet mass weopan of cyber attack
Stuxnet mass weopan of cyber attack
 
U-Boot presentation 2013
U-Boot presentation 2013U-Boot presentation 2013
U-Boot presentation 2013
 
vac unitII.pptx
vac unitII.pptxvac unitII.pptx
vac unitII.pptx
 
Main notes (1)
Main notes (1)Main notes (1)
Main notes (1)
 
Notes for LX0-101 Linux
Notes for LX0-101 Linux Notes for LX0-101 Linux
Notes for LX0-101 Linux
 
Hardware.docx
Hardware.docxHardware.docx
Hardware.docx
 
Hardware.docx
Hardware.docxHardware.docx
Hardware.docx
 
Starting Raspberry Pi
Starting Raspberry PiStarting Raspberry Pi
Starting Raspberry Pi
 
Disecting the ultimate machine by Neeraj Bhandari ( Surkhet.Nepal )
Disecting the ultimate machine by Neeraj Bhandari ( Surkhet.Nepal )Disecting the ultimate machine by Neeraj Bhandari ( Surkhet.Nepal )
Disecting the ultimate machine by Neeraj Bhandari ( Surkhet.Nepal )
 
Computer hardware
Computer hardwareComputer hardware
Computer hardware
 
Lec post , bios , cmos
Lec post , bios , cmosLec post , bios , cmos
Lec post , bios , cmos
 
SanDisk SecureAccess Encryption 1.5
SanDisk SecureAccess Encryption 1.5SanDisk SecureAccess Encryption 1.5
SanDisk SecureAccess Encryption 1.5
 
Dx diag
Dx diagDx diag
Dx diag
 
Computer 10 Other Parts of the Internal System Unit
Computer 10 Other Parts of the Internal System UnitComputer 10 Other Parts of the Internal System Unit
Computer 10 Other Parts of the Internal System Unit
 
SanDisk SecureAccess Encryption - Forensic Processing & USB Flashing
SanDisk SecureAccess Encryption - Forensic Processing & USB FlashingSanDisk SecureAccess Encryption - Forensic Processing & USB Flashing
SanDisk SecureAccess Encryption - Forensic Processing & USB Flashing
 
Dell Inspiron 5379 Chip i7 Mạnh Mẽ
Dell Inspiron 5379 Chip i7 Mạnh MẽDell Inspiron 5379 Chip i7 Mạnh Mẽ
Dell Inspiron 5379 Chip i7 Mạnh Mẽ
 

Recently uploaded

Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxLBM Solutions
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...HostedbyConfluent
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxOnBoard
 

Recently uploaded (20)

Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptx
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptx
 

Usb forensics BSides London 2015

  • 1. Investigating USB Devices On Windows 7 & 8 BSIDES LONDON 2015
  • 3. What you need to know before you start As with any forensic investigation; you really need to know what you are looking for! ◦ What is the scenario? ◦ Are you looking to prove/disprove something? ◦ Do you have any details around the USB device? ◦ What is the end goal? ◦ Proof that IP was stolen? ◦ Illegal content of the device? ◦ Exploratory ? ◦ Additional details? ◦ Computer name? ◦ Time-zone? ◦ User level? ◦ Time since last rebuild? ◦ Any other relevant details about the user?
  • 4. Scenario •Scrooges Crutches Ltd want us to look into Timmy Cratchet •A USB stick belonging to Timmy was discovered and has Intellectual Property on it •Scrooge only uses authorised USB devices •Timmy’s machine should only have one USB storage device used
  • 5.
  • 6. Identifying the Device Serial Number in the USBSTOR The USBSTOR key contains all of the USB Storage Devices registered on the machine. • Located within the SYSTEM hive – SYSTEMCurrentControlSetEnumUSBSTOR • Each Key may contain more than one device – The sub-keys contain the Serial Number of that device – All Serial numbers end with either &0 or &1 – Serial numbers where the second character is a & are serial number issued by Windows and unique to this machine only
  • 8. VID & PID The Vendor ID and Product ID can be used to help identify the USB device ◦ Located in the following key ◦ SYSTEMCurrentControlSetEnumUSB ◦ The final &0 is removed from the key ◦ The VID & PID can now be used to identify the device ◦ www.linux-usb.org/usb.ids ◦ The last write time of this Key will show the first time that device was plugged in 150905003932A302&0 92B0564A&0 39210000447F59BD0002DA9ADF2159BD&0 2GE4D91T&0
  • 11. Volume Name The Volume Name USB Devices are contained within the following Key: ◦ SOFTWAREMicrosoftWindows Portable DevicesDevices 06 June 2015 11
  • 13. Volume Serial Number • The Volume Serial Number information is stored in the following key ◦ SOFTWAREMicrosoftWindows NTCurrentVersionEMDMgmt ◦ This key was originally designed for use with ReadyBoost (Vista +) ◦ Machines deemed too fast for ReadyBoost will not have any data in this key ◦ Usually if an SSD drive is installed ◦ ReadyBoost also enable SuperPreFetch and Auto Defrag which significantly reduce the lifespan of an SSD ◦ As such if an SSD is present on a Windows 7 system ReadyBoost is disabled ◦ A Windows 8 System will test the performance first
  • 14. Volume Serial Number (2) • If the machine has ready boost enabled the following artefacts will be present: ◦ Use the Serial Number in the Key name to identify the correct device ◦ The last section of the key will show the Volume ID in Base10 ◦ The Volume ID needs to be in Hex ◦ The Volume Serial Number is changed each time the device is formatted ◦ How do you know if the device has been formatted? ◦ There will be a duplicate key with a different Volume Number (and possibly Volume Name)
  • 15. Disk&Ven_CHIPSBNK&Prod_v3.3.9.6&Rev_5.00 VID 1E3D PID 2093 150905003932A302&0 92A7-D861 TIMMYSSTICK 27th Oct 2014 @ 10:37 UTC
  • 16. Determining the Last Drive Letter ◦ The last drive letter is held under the following Key ◦ SYSTEMMounted Devices ◦ Each drive letter will be listed in this key ◦ The Data for the drive letter will have an ASCII description of the device ◦ As well as a GUID, which relates back to the EMDMgmt Key
  • 17. Determining the Last Drive Letter ◦ The last drive letter is held under the following Key ◦ SYSTEMMounted Devices ◦ Each drive letter will be listed in this key ◦ The Data for the drive letter will have an ASCII description of the device ◦ As well as a GUID, which relates back to the EMDMgmt Key
  • 18. VID 1E3D PID 2093 150905003932A302&0 92A7-D861 TIMMYSSTICK Disk&Ven_CHIPSBNK&Prod_v3.3.9.6&Rev_5.00 b5c6ea66-6779-11e4-824e-000c29f9767d E: 27th Oct 2014 @ 10:37 UTC
  • 19. Which user account accessed the USB device? ◦ Each user has a local registry file called NTUser.dat ◦ The key used for identifying USB Devices is ◦ NTUser.datSoftwareMicrosoftWindowsCurrentVersionExplorerMountpoints2{GUID} ◦ The existence of this GUID within the user’s NTUser.dat proves that the USB device was plugged in while this user was logged on.
  • 20. VID 1E3D PID 2093 150905003932A302&0 92A7-D861 TIMMYSSTICK Disk&Ven_CHIPSBNK&Prod_v3.3.9.6&Rev_5.00 b5c6ea66-6779-11e4-824e-000c29f9767d E: 27th Oct 2014 @ 10:37 UTC
  • 21. First/Last time plugged in? ◦ When a new device is installed onto the system a log file is appended to ◦ Setupapi.dev.log ◦ Setupapi.log (Windows XP) ◦ The setupapi.dev.log file is located in %WINDIR%inf
  • 22. VID 1E3D PID 2093 92A7-D861 TIMMYSSTICK Disk&Ven_CHIPSBNK&Prod_v3.3.9.6&Rev_5.00 b5c6ea66-6779-11e4-824e-000c29f9767d E: 27th Oct 2014 @ 10:37 UTC 27th Oct 2014 @ 09:09 GMT 150905003932A302&0
  • 23. Summary Report A USB Device, a Chipsbank Microelectonics CBM209x, with a serial number 150905003932A302 was plugged at 27th Oct 2014 @ 09:09 GMT for approximately 90 minutes; it was last seen at 27th Oct 2014 @ 10:37 UTC. The device had a Volume Name or ‘label’ of TIMMYSSTICK, it is almost certain that the drive letter used was E: and user TIMMY was the only account to have encountered this device. It is recommended a timeline is created of the machine for those 90 minutes to determine what data, if any, was copied or moved to the device. As a consultant I can do this for you….. …..let’s talk day rates
  • 25. References & Twitter My Blog ◦ www.HatsOffSecurity.com ◦ And Google Twitter ◦ @Russ_Taylor_