PDF version - DPMForensics

Document technical information

Format pdf
Size 73.9 kB
First found Nov 13, 2015

Document content analysis

Language
English
Type
not defined
Concepts
no text concepts found

Organizations

Transcript

10/09/14!
Windows 7 USB Artifacts
www.dpmforensics.com
1 of 3
Full Path
Vendor, Product, and Version! HKLM\SYSTEM\CurrentControlSet\Enum\USBSTOR
(Device Class ID - DCID)
\Disk&Ven_[Vendor Name]&Prod_[Product Name]&Rev_[Version]
Vendor ID, Product ID
HKLM\SYSTEM\CurrentControlSet\Enum\USB\VID_[Vendor
ID]&PID_[Product ID] !
Determine by matching subkey with UIID of device in question.
Physical Serial Number!
(Unique Instance ID - UIID)
HKLM\SYSTEM\CurrentControlSet\Enum\USBSTOR\[DCID]\[Serial
Number]!
If ‘&’ is second character of UUID - Windows assigned it a UUID, it is
not the true serial number of device, ex. 4&2453682790.
Volume Serial Number!
(VSN)
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\EMDMgmt
\_??USBSTOR#[DCID]#[UIID]#{53f56307b6bf-11d0-94f2-00a0c91efb8b}[Volume Label]_[Volume Serial Number]!
If there is not a volume label for the device, there will be a underscore
immediately after the bracketed value. Note, the VSN will be in Decimal
form.!
The VSN can also be viewed by examining the first sector of the
volume of the device. The value will be at hex offset 27 for FAT12/16,
hex offset 43 for FAT32, and hex offset 48 for NTFS devices. Source:
http://www.forensicfocus.com/index.php?
name=Forums&file=viewtopic&t=2134
Volume GUID
HKLM\SYSTEM\MountedDevices!
Determine by searching for UIID in value \??\Volume{Volume GUID}’s
data. I’ve observed some USBs to not store any identifying information
in their \??\Volume{Volume GUID} - must be determined in other ways.
WpdBusEnumRoot Value!
(WBER Value)
HKLM\SYSTEM\CurrentControlSet\Enum\WpdBusEnumRoot\UMB\
[Unknown value]STORAGE#VOLUME#_??_USBSTOR#[DCID]#[UIID]!
I observed that some USBs do not leave WBER Values in the registry the keys below that use this WBER value were not present for the
USBs that lacked WBER values.
Last Mapped Drive
HKLM\SYSTEM\MountedDevices !
Determine by searching for UUID in value \DosDevices\[Logical Drive
Letter]’s data. Or match value’s data with a Volume GUID’s data if it
doesn’t store it’s UUID. The \DosDevices\ value will contain the last
device to be mounted as that logical letter - not every device.!
HKLM\SYSTEM\CurrentControlSet\Enum\WpdBusEnumRoot\UMB\
[WBER Value] !
The Friendly name value could be the last drive letter the particular
device was mounted as or the volume label of the device.!
HKLM\SOFTWARE\Microsoft\Windows Portable Devices\Devices
\Devices\WPDBUSENUMROOT#UMB#[WBER Value] !
The Friendly name value could be the last drive letter the particular
device was mounted as or the volume label of the device.
User Associated with Device
HKU\[USER]\Software\Microsoft\Windows\CurrentVersion\Explorer
\Mountpoints2\[Volume GUID]
10/09/14!
www.dpmforensics.com
2 of 3
Windows 7 USB Artifacts
Full Path
First Time Ever Connected
C:\Windows\inf\Setupapi.dev.log !
First occurrence of UUID in log should correspond to a Device Install
event which signifies the first time the device was ever connected to the
system. Note, about every month setupapi.dev.log will have a Device
and Driver Disk Cleanup Handler event to remove any ‘not-recently
detected devices’ - the next time a removed device is attached it will
have another Device Install. You could use this information to get an
idea for device usage frequency.!
C:\Windows\System32\winevt\Logs\System.evtx!
In testing, I always saw three sets of event ID 20003 & 20001 that
corresponded with the first ever connection of the device to the system.
These three sets contain the DCID, UIID, Vendor and Product ID.
First Time Connected Since
Last Session Used
HKLM\SYSTEM\CurrentControlSet\Enum\USBSTOR\[DCID]\[UUID]
Last Written Timestamp.!
HKLM\SYSTEM\CurrentControlSet\Enum\WpdBusEnumRoot\UMB\
[WBER Value]!
Last Written Timestamp.!
HKLM\SYSTEM\CurrentControlSet\Control\DeviceClasses\{53f56307b6bf-11d0-94f2-00a0c91efb8b}\##?
#USBSTOR#[DCID]#[UIID]#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}!
Last Written Timestamp.!
HKLM\SYSTEM\CurrentControlSet\Control\DeviceClasses\{53f5630db6bf-11d0-94f2-00a0c91efb8b}\[WBER Value]#{53f5630db6bf-11d0-94f2-00a0c91efb8b}!
Last Written Timestamp. Only devices that had a WBER Value were
seen to have this key.!
HKLM\SYSTEM\CurrentControlSet\Control\DeviceClasses\{6ac27878a6fa-4155-ba85-f98f491d4f33}\##?#WpdBusEnumRoot#UMB#[WBER
Value]#{6ac27878-a6fa-4155-ba85-f98f491d4f33}!
Last Written Timestamp. Only devices that had a WBER Value were
seen to have this key.!
HKLM\SYSTEM\CurrentControlSet\Control\DeviceClasses\
{a5dcbf10-6530-11d2-901f-00c04fb951ed}\##?#USB#[Vendor ID &
Product ID]#[UIID]#{a5dcbf10-6530-11d2-901f-00c04fb951ed}!
Last Written Timestamp.
Last Time Connected Since
Last Session Used
HKLM\SYSTEM\CurrentControlSet\Enum\USB\VID_[Vendor
ID]&PID_[Product ID]\[UUID] !
Last Written Timestamp. Will have same timestamp as above row, if the
device was only connected once in its last session.!
HKLM\SYSTEM\CurrentControlSet\Enum\WpdBusEnumRoot\UMB\
[WBER Value]\Device Parameters!
Last Written Timestamp. Will have same timestamp as above row, if the
device was only connected once in its last session.!
HKU\[USER]\Software\Microsoft\Windows\CurrentVersion\Explorer
\Mountpoints2\[Volume GUID]!
Last Written Timestamp. This is the last time it was connected to this
particular user account since the last session it was used in.
10/09/14!
www.dpmforensics.com
3 of 3
Windows 7 USB Artifacts
Full Path
USB Sessions
C:\Windows\System32\winevt\Logs\Microsoft-WindowsDriverFrameworks-UserMode%4Operational.evtx!
Devices containing a WBER Value were observed to have their
sessions recorded in this event log. Event IDs 1003, 2000, 2001, and
1004 were seen when a device was connected to the system. Event ID
contains the DCID and the lifetime GUID associated with the device
(some events will refer to the device only by this GUID). Event IDs
1006, 2900, 2901, 1008 were seen when a device was disconnected
from the system regardless of a ‘safe-eject’ or not. Note, devices
without a WBER Value did not have entries in this event log.

Similar documents

×

Report this document