usb forensics bsides london 2015
TRANSCRIPT
Investigating USB DevicesOn Windows 7 & 8
BSIDES LONDON 2015
Whoami?
What you need to know before you start
As with any forensic investigation; you really need to know what you are looking for!
◦ What is the scenario? ◦ Are you looking to prove/disprove something?◦ Do you have any details around the USB device?
◦ What is the end goal?◦ Proof that IP was stolen?◦ Illegal content of the device?◦ Exploratory ?
◦ Additional details?◦ Computer name?◦ Time-zone?◦ User level?◦ Time since last rebuild?◦ Any other relevant details about the user?
Scenario•Scrooges Crutches Ltd want us to look into Timmy Cratchet
•A USB stick belonging to Timmy was discovered and has Intellectual Property on it
•Scrooge only uses authorised USB devices
•Timmy’s machine should only have one USB storage device used
Identifying the Device Serial Number in the USBSTOR
The USBSTOR key contains all of the USB Storage Devices registered on the machine.
• Located within the SYSTEM hive – SYSTEM\CurrentControlSet\Enum\USBSTOR
• Each Key may contain more than one device– The sub-keys contain the Serial Number of that device– All Serial numbers end with either &0 or &1 – Serial numbers where the second character is a & are
serial number issued by Windows and unique to this machine only
150905003932A302&092B0564A&039210000447F59BD0002DA9ADF2159BD&02GE4D91T&0
Disk&Ven_CHIPSBNK&Prod_v3.3.9.6&Rev_5.00Disk&Ven_Generic&Prod_Flash_Disk&Rev_8.07Disk&Ven_Samsung&Prod_U5&Rev_0100Disk&Ven_Seagate&Prod_FreeAgent_Go&Rev_0142
VID & PID The Vendor ID and Product ID can be used to help identify the USB device
◦ Located in the following key◦ SYSTEM\CurrentControlSet\Enum\USB
◦ The final &0 is removed from the key◦ The VID & PID can now be used to
identify the device◦ www.linux-usb.org/usb.ids
◦ The last write time of this Key will show the first time that device was plugged in
150905003932A302&092B0564A&039210000447F59BD0002DA9ADF2159BD&02GE4D91T&0
Identifying the Device
http://www.linux-usb.org/usb.ids
150905003932A302&0
Disk&Ven_CHIPSBNK&Prod_v3.3.9.6&Rev_5.00
VID 1E3D PID 2093
27th Oct 2014 @ 10:37 UTC
Volume Name The Volume Name USB Devices are contained within the following Key:
◦ SOFTWARE\Microsoft\Windows Portable Devices\Devices
18 April 2023 11
150905003932A302&0
Disk&Ven_CHIPSBNK&Prod_v3.3.9.6&Rev_5.00
VID 1E3D PID 2093
TIMMYSSTICK
27th Oct 2014 @ 10:37 UTC
Volume Serial Number• The Volume Serial Number information is stored in the following key◦ SOFTWARE\Microsoft\Windows NT\CurrentVersion\EMDMgmt
◦ This key was originally designed for use with ReadyBoost (Vista +)◦ Machines deemed too fast for ReadyBoost will not have any data in this key ◦ Usually if an SSD drive is installed◦ ReadyBoost also enable SuperPreFetch and Auto Defrag which significantly reduce the lifespan of an
SSD◦ As such if an SSD is present on a Windows 7 system ReadyBoost is disabled◦ A Windows 8 System will test the performance first
Volume Serial Number (2)• If the machine has ready boost enabled the following artefacts will be present:
◦ Use the Serial Number in the Key name to identify the correct device◦ The last section of the key will show the Volume ID in Base10
◦ The Volume ID needs to be in Hex
◦ The Volume Serial Number is changed each time the device is formatted◦ How do you know if the device has been formatted?
◦ There will be a duplicate key with a different Volume Number (and possibly Volume Name)
Disk&Ven_CHIPSBNK&Prod_v3.3.9.6&Rev_5.00
VID 1E3D PID 2093150905003932A302&0
92A7-D861
TIMMYSSTICK
27th Oct 2014 @ 10:37 UTC
Determining the Last Drive Letter
◦ The last drive letter is held under the following Key◦ SYSTEM\Mounted Devices
◦ Each drive letter will be listed in this key◦ The Data for the drive letter will have an ASCII description of the device
◦ As well as a GUID, which relates back to the EMDMgmt Key
Determining the Last Drive Letter
◦ The last drive letter is held under the following Key◦ SYSTEM\Mounted Devices
◦ Each drive letter will be listed in this key◦ The Data for the drive letter will have an ASCII description of the device
◦ As well as a GUID, which relates back to the EMDMgmt Key
VID 1E3D PID 2093150905003932A302&0
92A7-D861
TIMMYSSTICK
Disk&Ven_CHIPSBNK&Prod_v3.3.9.6&Rev_5.00
b5c6ea66-6779-11e4-824e-000c29f9767d E:\
27th Oct 2014 @ 10:37 UTC
Which user account accessed the USB device?
◦ Each user has a local registry file called NTUser.dat◦ The key used for identifying USB Devices is
◦ NTUser.dat\Software\Microsoft\Windows\CurrentVersion\Explorer\Mountpoints2\{GUID}
◦ The existence of this GUID within the user’s NTUser.dat proves that the USB device was plugged in while this user was logged on.
VID 1E3D PID 2093150905003932A302&0
92A7-D861
TIMMYSSTICK
Disk&Ven_CHIPSBNK&Prod_v3.3.9.6&Rev_5.00
b5c6ea66-6779-11e4-824e-000c29f9767d E:\
27th Oct 2014 @ 10:37 UTC
First/Last time plugged in?
◦ When a new device is installed onto the system a log file is appended to◦ Setupapi.dev.log ◦ Setupapi.log (Windows XP)
◦ The setupapi.dev.log file is located in %WINDIR%\inf\
VID 1E3D PID 2093
92A7-D861
TIMMYSSTICK
Disk&Ven_CHIPSBNK&Prod_v3.3.9.6&Rev_5.00
b5c6ea66-6779-11e4-824e-000c29f9767d E:\
27th Oct 2014 @ 10:37 UTC27th Oct 2014 @ 09:09 GMT
150905003932A302&0
Summary Report A USB Device, a Chipsbank Microelectonics CBM209x, with a serial number 150905003932A302 was plugged at 27th Oct 2014 @ 09:09 GMT for approximately 90 minutes; it was last seen at 27th Oct 2014 @ 10:37 UTC. The device had a Volume Name or ‘label’ of TIMMYSSTICK, it is almost certain that the drive letter used was E:\ and user TIMMY was the only account to have encountered this device.
It is recommended a timeline is created of the machine for those 90 minutes to determine what data, if any, was copied or moved to the device.
As a consultant I can do this for you…..
…..let’s talk day rates
Questions? @Russ_Taylor_
References & Twitter My Blog
◦ www.HatsOffSecurity.com◦ And Google
Twitter◦ @Russ_Taylor_