際際滷

際際滷Share a Scribd company logo

Usb forensics BSides London 2015

Download as PPTX, PDF
R
Russ Taylor

The document provides guidance on investigating USB devices on Windows 7 and 8 systems by examining artifacts in the registry. It details how to identify the device serial number, vendor/product IDs, volume name, drive letter used, user account accessed, and first/last plug-in times by examining keys in the SYSTEM, SOFTWARE, and NTUSER hives along with the Setupapi log files. The summary provides an example of these techniques being used to analyze a USB device with the label "TIMMYSSTICK" that was plugged in and accessed by the user "TIMMY" between specific dates and times.

1 of 25
Downloaded 20 times
Investigating USB Devices On Windows 7 & 8 BSIDES LONDON 2015
Whoami?
What you need to know before you start As with any forensic investigation; you really need to know what you are looking for! What is the scenario? Are you looking to prove/disprove something? Do you have any details around the USB device? What is the end goal? Proof that IP was stolen? Illegal content of the device? Exploratory ? Additional details? Computer name? Time-zone? User level? Time since last rebuild? Any other relevant details about the user?
Scenario Scrooges Crutches Ltd want us to look into Timmy Cratchet A USB stick belonging to Timmy was discovered and has Intellectual Property on it Scrooge only uses authorised USB devices Timmys machine should only have one USB storage device used
Usb forensics BSides London 2015
Identifying the Device Serial Number in the USBSTOR The USBSTOR key contains all of the USB Storage Devices registered on the machine. Located within the SYSTEM hive SYSTEMCurrentControlSetEnumUSBSTOR Each Key may contain more than one device The sub-keys contain the Serial Number of that device All Serial numbers end with either &0 or &1 Serial numbers where the second character is a & are serial number issued by Windows and unique to this machine only
150905003932A302&0 92B0564A&0 39210000447F59BD0002DA9ADF2159BD&0 2GE4D91T&0 Disk&Ven_CHIPSBNK&Prod_v3.3.9.6&Rev_5.00 Disk&Ven_Generic&Prod_Flash_Disk&Rev_8.07 Disk&Ven_Samsung&Prod_U5&Rev_0100 Disk&Ven_Seagate&Prod_FreeAgent_Go&Rev_0142
VID & PID The Vendor ID and Product ID can be used to help identify the USB device Located in the following key SYSTEMCurrentControlSetEnumUSB The final &0 is removed from the key The VID & PID can now be used to identify the device www.linux-usb.org/usb.ids The last write time of this Key will show the first time that device was plugged in 150905003932A302&0 92B0564A&0 39210000447F59BD0002DA9ADF2159BD&0 2GE4D91T&0
Identifying the Device http://www.linux-usb.org/usb.ids
150905003932A302&0 Disk&Ven_CHIPSBNK&Prod_v3.3.9.6&Rev_5.00 VID 1E3D PID 2093 27th Oct 2014 @ 10:37 UTC
Volume Name The Volume Name USB Devices are contained within the following Key: SOFTWAREMicrosoftWindows Portable DevicesDevices 06 June 2015 11
150905003932A302&0 Disk&Ven_CHIPSBNK&Prod_v3.3.9.6&Rev_5.00 VID 1E3D PID 2093 TIMMYSSTICK 27th Oct 2014 @ 10:37 UTC
Volume Serial Number The Volume Serial Number information is stored in the following key SOFTWAREMicrosoftWindows NTCurrentVersionEMDMgmt This key was originally designed for use with ReadyBoost (Vista +) Machines deemed too fast for ReadyBoost will not have any data in this key Usually if an SSD drive is installed ReadyBoost also enable SuperPreFetch and Auto Defrag which significantly reduce the lifespan of an SSD As such if an SSD is present on a Windows 7 system ReadyBoost is disabled A Windows 8 System will test the performance first
Volume Serial Number (2) If the machine has ready boost enabled the following artefacts will be present: Use the Serial Number in the Key name to identify the correct device The last section of the key will show the Volume ID in Base10 The Volume ID needs to be in Hex The Volume Serial Number is changed each time the device is formatted How do you know if the device has been formatted? There will be a duplicate key with a different Volume Number (and possibly Volume Name)
Disk&Ven_CHIPSBNK&Prod_v3.3.9.6&Rev_5.00 VID 1E3D PID 2093 150905003932A302&0 92A7-D861 TIMMYSSTICK 27th Oct 2014 @ 10:37 UTC
Determining the Last Drive Letter The last drive letter is held under the following Key SYSTEMMounted Devices Each drive letter will be listed in this key The Data for the drive letter will have an ASCII description of the device As well as a GUID, which relates back to the EMDMgmt Key
Determining the Last Drive Letter The last drive letter is held under the following Key SYSTEMMounted Devices Each drive letter will be listed in this key The Data for the drive letter will have an ASCII description of the device As well as a GUID, which relates back to the EMDMgmt Key
VID 1E3D PID 2093 150905003932A302&0 92A7-D861 TIMMYSSTICK Disk&Ven_CHIPSBNK&Prod_v3.3.9.6&Rev_5.00 b5c6ea66-6779-11e4-824e-000c29f9767d E: 27th Oct 2014 @ 10:37 UTC
Which user account accessed the USB device? Each user has a local registry file called NTUser.dat The key used for identifying USB Devices is NTUser.datSoftwareMicrosoftWindowsCurrentVersionExplorerMountpoints2{GUID} The existence of this GUID within the users NTUser.dat proves that the USB device was plugged in while this user was logged on.
VID 1E3D PID 2093 150905003932A302&0 92A7-D861 TIMMYSSTICK Disk&Ven_CHIPSBNK&Prod_v3.3.9.6&Rev_5.00 b5c6ea66-6779-11e4-824e-000c29f9767d E: 27th Oct 2014 @ 10:37 UTC
First/Last time plugged in? When a new device is installed onto the system a log file is appended to Setupapi.dev.log Setupapi.log (Windows XP) The setupapi.dev.log file is located in %WINDIR%inf
VID 1E3D PID 2093 92A7-D861 TIMMYSSTICK Disk&Ven_CHIPSBNK&Prod_v3.3.9.6&Rev_5.00 b5c6ea66-6779-11e4-824e-000c29f9767d E: 27th Oct 2014 @ 10:37 UTC 27th Oct 2014 @ 09:09 GMT 150905003932A302&0
Summary Report A USB Device, a Chipsbank Microelectonics CBM209x, with a serial number 150905003932A302 was plugged at 27th Oct 2014 @ 09:09 GMT for approximately 90 minutes; it was last seen at 27th Oct 2014 @ 10:37 UTC. The device had a Volume Name or label of TIMMYSSTICK, it is almost certain that the drive letter used was E: and user TIMMY was the only account to have encountered this device. It is recommended a timeline is created of the machine for those 90 minutes to determine what data, if any, was copied or moved to the device. As a consultant I can do this for you.. ..lets talk day rates
Questions? @Russ_Taylor_
References & Twitter My Blog www.HatsOffSecurity.com And Google Twitter @Russ_Taylor_

More Related Content

Usb forensics BSides London 2015

  • 1. Investigating USB Devices On Windows 7 & 8 BSIDES LONDON 2015
  • 3. What you need to know before you start As with any forensic investigation; you really need to know what you are looking for! What is the scenario? Are you looking to prove/disprove something? Do you have any details around the USB device? What is the end goal? Proof that IP was stolen? Illegal content of the device? Exploratory ? Additional details? Computer name? Time-zone? User level? Time since last rebuild? Any other relevant details about the user?
  • 4. Scenario Scrooges Crutches Ltd want us to look into Timmy Cratchet A USB stick belonging to Timmy was discovered and has Intellectual Property on it Scrooge only uses authorised USB devices Timmys machine should only have one USB storage device used
  • 6. Identifying the Device Serial Number in the USBSTOR The USBSTOR key contains all of the USB Storage Devices registered on the machine. Located within the SYSTEM hive SYSTEMCurrentControlSetEnumUSBSTOR Each Key may contain more than one device The sub-keys contain the Serial Number of that device All Serial numbers end with either &0 or &1 Serial numbers where the second character is a & are serial number issued by Windows and unique to this machine only
  • 8. VID & PID The Vendor ID and Product ID can be used to help identify the USB device Located in the following key SYSTEMCurrentControlSetEnumUSB The final &0 is removed from the key The VID & PID can now be used to identify the device www.linux-usb.org/usb.ids The last write time of this Key will show the first time that device was plugged in 150905003932A302&0 92B0564A&0 39210000447F59BD0002DA9ADF2159BD&0 2GE4D91T&0
  • 11. Volume Name The Volume Name USB Devices are contained within the following Key: SOFTWAREMicrosoftWindows Portable DevicesDevices 06 June 2015 11
  • 13. Volume Serial Number The Volume Serial Number information is stored in the following key SOFTWAREMicrosoftWindows NTCurrentVersionEMDMgmt This key was originally designed for use with ReadyBoost (Vista +) Machines deemed too fast for ReadyBoost will not have any data in this key Usually if an SSD drive is installed ReadyBoost also enable SuperPreFetch and Auto Defrag which significantly reduce the lifespan of an SSD As such if an SSD is present on a Windows 7 system ReadyBoost is disabled A Windows 8 System will test the performance first
  • 14. Volume Serial Number (2) If the machine has ready boost enabled the following artefacts will be present: Use the Serial Number in the Key name to identify the correct device The last section of the key will show the Volume ID in Base10 The Volume ID needs to be in Hex The Volume Serial Number is changed each time the device is formatted How do you know if the device has been formatted? There will be a duplicate key with a different Volume Number (and possibly Volume Name)
  • 15. Disk&Ven_CHIPSBNK&Prod_v3.3.9.6&Rev_5.00 VID 1E3D PID 2093 150905003932A302&0 92A7-D861 TIMMYSSTICK 27th Oct 2014 @ 10:37 UTC
  • 16. Determining the Last Drive Letter The last drive letter is held under the following Key SYSTEMMounted Devices Each drive letter will be listed in this key The Data for the drive letter will have an ASCII description of the device As well as a GUID, which relates back to the EMDMgmt Key
  • 17. Determining the Last Drive Letter The last drive letter is held under the following Key SYSTEMMounted Devices Each drive letter will be listed in this key The Data for the drive letter will have an ASCII description of the device As well as a GUID, which relates back to the EMDMgmt Key
  • 18. VID 1E3D PID 2093 150905003932A302&0 92A7-D861 TIMMYSSTICK Disk&Ven_CHIPSBNK&Prod_v3.3.9.6&Rev_5.00 b5c6ea66-6779-11e4-824e-000c29f9767d E: 27th Oct 2014 @ 10:37 UTC
  • 19. Which user account accessed the USB device? Each user has a local registry file called NTUser.dat The key used for identifying USB Devices is NTUser.datSoftwareMicrosoftWindowsCurrentVersionExplorerMountpoints2{GUID} The existence of this GUID within the users NTUser.dat proves that the USB device was plugged in while this user was logged on.
  • 20. VID 1E3D PID 2093 150905003932A302&0 92A7-D861 TIMMYSSTICK Disk&Ven_CHIPSBNK&Prod_v3.3.9.6&Rev_5.00 b5c6ea66-6779-11e4-824e-000c29f9767d E: 27th Oct 2014 @ 10:37 UTC
  • 21. First/Last time plugged in? When a new device is installed onto the system a log file is appended to Setupapi.dev.log Setupapi.log (Windows XP) The setupapi.dev.log file is located in %WINDIR%inf
  • 22. VID 1E3D PID 2093 92A7-D861 TIMMYSSTICK Disk&Ven_CHIPSBNK&Prod_v3.3.9.6&Rev_5.00 b5c6ea66-6779-11e4-824e-000c29f9767d E: 27th Oct 2014 @ 10:37 UTC 27th Oct 2014 @ 09:09 GMT 150905003932A302&0
  • 23. Summary Report A USB Device, a Chipsbank Microelectonics CBM209x, with a serial number 150905003932A302 was plugged at 27th Oct 2014 @ 09:09 GMT for approximately 90 minutes; it was last seen at 27th Oct 2014 @ 10:37 UTC. The device had a Volume Name or label of TIMMYSSTICK, it is almost certain that the drive letter used was E: and user TIMMY was the only account to have encountered this device. It is recommended a timeline is created of the machine for those 90 minutes to determine what data, if any, was copied or moved to the device. As a consultant I can do this for you.. ..lets talk day rates
  • 25. References & Twitter My Blog www.HatsOffSecurity.com And Google Twitter @Russ_Taylor_