When a USB removable storage device, such as a thumb drive, is
connected to a Windows system, footprints or artifacts are left in the
Registry. When the device is plugged in, the Plug and Play (PnP) Manager
receives the event and queries the device descriptor in the firmware
(this information is not located within the memory area of the
device) for information about the device, such as manufacturer.The PnP
Manager then uses this information to locate the appropriate driver for
the device (based on the contents of .inf files) and, if necessary,
loads that driver. (This information is recorded in the setupapi.log
file.) Once the device has been identified, a Registry key will be
created beneath the following key:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\USBSTOR
Beneath this key, you will see subkeys that look like:
Disk&Ven_###&Prod_###&Rev_###
This subkey represents the device class identifier, since it identifies a specific class of device.The fields represented by ### are filled in by the PnP Manager based on information found in the device descriptor. For example, I have a 4GB HP thumb drive that I purchased from a local store; the class ID for the device looks like this:
Disk&Ven_hp&Prod_v240b&Rev_1100
Once the device class ID has been created, a unique instance identifier needs to be created for the specific device. Notice the red rectangle in Figure.The enclosed value is a unique instance identifier for the device, similar to the MAC address of a network interface card.This value is used as the unique instance ID for the device so that multiple devices of the same class (two 4GB HP thumb drives, for instance) can be uniquely identified on the system. From the USB FAQ:Intermediate:
If the device has a serial number, Microsoft requires that the serial number uniquely identify each instance of the same device. For example, if two device descriptors have identical values for the idVendor, idProduct, and bcdDevice fields, the iSerialNumber field will distinguish one from the other.
Figure Snapshot of RegEdit Showing Device Class ID and Unique Instance ID
Although a unique serial number is required for devices that manufacturers want to qualify for the Windows Logo34. program, not all devices include a serial number. For devices that do not have a serial number, the PnP Manager will create a unique instance ID for that device, which will look similar to the following:
6&26c97b61&0
Notice that the second character is an ampersand (&). If you see a unique instance ID beneath the USBStor key that looks like this, you know that the device that was plugged into the system does not have a serial number in its device descriptor. So, if the unique instance ID does not have an & as the second character, you might be able to identify the unique device that was connected to the system. In cases involving multiple systems and storage media, investigators should be sure to include the use of UVCView in their methodology so that the devices can later be tied to the system, not only through Registry artifacts in the USBSTOR key but also in the MountedDevices key as well as in Shortcuts and other references to files located on the system.
Once the unique instance identifier key has been created, the key is then populated with several values, including a FriendlyName.The value of interest to investigators will be the ParentIdPrefix value. The ParentIdPrefix value can be retrieved from the following key:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\MountedDevices
Beneath this key, there are several values as shown below:
However, some of the values start with \DosDevices\ followed by drive letter e.g. \DosDevices\H. To find out, Right click on one of them and choose modify. In the “Edit Binary Value” dialog on right-most column, appears characters as shown below:
In this example, following characters appear:
_??_USBSTOR#Disk&Ven_Kingston&Prod_DataTraveler_G2&Rev_1.00#000FEAFB797DF99122CF0B#(53f56307-b6bf-11d0-94f2-00a0c91efb8b}
The highlighted value is ParentIdPrefix for the selected device.
Microsoft does not provide any information regarding how this value is created or whether this value is unique across Windows systems. However, the ParentIdPrefix value can be used to correlate additional information from within the Registry. For example, using both the unique instance identifier and the ParentIdPrefix, we can determine the last time that the USB device was connected to the Windows system. On a live system, you need to navigate to the following key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceClasses
You’ll see a number of subkeys beneath this key.The specific device classes that we’re interested in are {53f56307-b6bf-11d0-94f2-00a0c91efb8b} and {53f5630db6bf- 11d0-94f2-00a0c91efb8b}.These two classes are defined in the ntddstor.h header file because they are globally unique identifiers (GUIDs) for the disk and volume device interfaces, respectively. Navigating to the first GUID,which reveals information about several USB devices that have been attached to the system before, we see a number of subkeys with some really long names as shown below:
we see a subkey with the following name:
##?#USBSTOR#Disk&Ven_hp&Prod_v240b&Rev_1100#AA04012700008702&0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
For the purpose of this example, I’ve highlighted the unique instance identifier (in this case, the serial number of the device) to illustrate where within the key name the ID is located.The LastWrite time of this key corresponds to the last time the disk device was connected to the system.We can also conduct the same correlation with the Volume device interface GUID, using the ParentIdPrefix for the device, as follows:
##?#USBSTOR#Disk&Ven_Kingston&Prod_DataTraveler_G2&Rev_1.00#000FEAFB797DF99122CF0B47&0#{53f56307-b6bf-11d0-94f200a0c91efb8b}
Again, I’ve highlighted the ParentIdPrefix within the device subkey to illustrate where it can be found.The LastWrite time of this key corresponds to the last time the volume was connected to the system. To determine last write time for a specific USB device, export the corresponding entry as a plain text file and open it. It will display the LastWriteTime of that key.
Hope that this blog will help you all.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\USBSTOR
Beneath this key, you will see subkeys that look like:
Disk&Ven_###&Prod_###&Rev_###
This subkey represents the device class identifier, since it identifies a specific class of device.The fields represented by ### are filled in by the PnP Manager based on information found in the device descriptor. For example, I have a 4GB HP thumb drive that I purchased from a local store; the class ID for the device looks like this:
Disk&Ven_hp&Prod_v240b&Rev_1100
Once the device class ID has been created, a unique instance identifier needs to be created for the specific device. Notice the red rectangle in Figure.The enclosed value is a unique instance identifier for the device, similar to the MAC address of a network interface card.This value is used as the unique instance ID for the device so that multiple devices of the same class (two 4GB HP thumb drives, for instance) can be uniquely identified on the system. From the USB FAQ:Intermediate:
If the device has a serial number, Microsoft requires that the serial number uniquely identify each instance of the same device. For example, if two device descriptors have identical values for the idVendor, idProduct, and bcdDevice fields, the iSerialNumber field will distinguish one from the other.
Figure Snapshot of RegEdit Showing Device Class ID and Unique Instance ID
Although a unique serial number is required for devices that manufacturers want to qualify for the Windows Logo34. program, not all devices include a serial number. For devices that do not have a serial number, the PnP Manager will create a unique instance ID for that device, which will look similar to the following:
6&26c97b61&0
Notice that the second character is an ampersand (&). If you see a unique instance ID beneath the USBStor key that looks like this, you know that the device that was plugged into the system does not have a serial number in its device descriptor. So, if the unique instance ID does not have an & as the second character, you might be able to identify the unique device that was connected to the system. In cases involving multiple systems and storage media, investigators should be sure to include the use of UVCView in their methodology so that the devices can later be tied to the system, not only through Registry artifacts in the USBSTOR key but also in the MountedDevices key as well as in Shortcuts and other references to files located on the system.
Once the unique instance identifier key has been created, the key is then populated with several values, including a FriendlyName.The value of interest to investigators will be the ParentIdPrefix value. The ParentIdPrefix value can be retrieved from the following key:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\MountedDevices
Beneath this key, there are several values as shown below:
However, some of the values start with \DosDevices\ followed by drive letter e.g. \DosDevices\H. To find out, Right click on one of them and choose modify. In the “Edit Binary Value” dialog on right-most column, appears characters as shown below:
In this example, following characters appear:
_??_USBSTOR#Disk&Ven_Kingston&Prod_DataTraveler_G2&Rev_1.00#000FEAFB797DF99122CF0B#(53f56307-b6bf-11d0-94f2-00a0c91efb8b}
The highlighted value is ParentIdPrefix for the selected device.
Microsoft does not provide any information regarding how this value is created or whether this value is unique across Windows systems. However, the ParentIdPrefix value can be used to correlate additional information from within the Registry. For example, using both the unique instance identifier and the ParentIdPrefix, we can determine the last time that the USB device was connected to the Windows system. On a live system, you need to navigate to the following key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceClasses
You’ll see a number of subkeys beneath this key.The specific device classes that we’re interested in are {53f56307-b6bf-11d0-94f2-00a0c91efb8b} and {53f5630db6bf- 11d0-94f2-00a0c91efb8b}.These two classes are defined in the ntddstor.h header file because they are globally unique identifiers (GUIDs) for the disk and volume device interfaces, respectively. Navigating to the first GUID,which reveals information about several USB devices that have been attached to the system before, we see a number of subkeys with some really long names as shown below:
we see a subkey with the following name:
##?#USBSTOR#Disk&Ven_hp&Prod_v240b&Rev_1100#AA04012700008702&0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
For the purpose of this example, I’ve highlighted the unique instance identifier (in this case, the serial number of the device) to illustrate where within the key name the ID is located.The LastWrite time of this key corresponds to the last time the disk device was connected to the system.We can also conduct the same correlation with the Volume device interface GUID, using the ParentIdPrefix for the device, as follows:
##?#USBSTOR#Disk&Ven_Kingston&Prod_DataTraveler_G2&Rev_1.00#000FEAFB797DF99122CF0B47&0#{53f56307-b6bf-11d0-94f200a0c91efb8b}
Again, I’ve highlighted the ParentIdPrefix within the device subkey to illustrate where it can be found.The LastWrite time of this key corresponds to the last time the volume was connected to the system. To determine last write time for a specific USB device, export the corresponding entry as a plain text file and open it. It will display the LastWriteTime of that key.
Hope that this blog will help you all.
0 comments:
Post a Comment