CEIC Day 1
Posted by Paul Bobby on May 17, 2009
Forensic Tracking of USB Devices
This session will provide methodologies for forensic investigation of USB attached storage devices
This lab walked the student through USB, USBSTOR, MountPoints and MountPoints2, and how XP, Vista and Windows 7 each track the use of USB devices within the Registry. Of specific interest was the analysis of Last Written values and the conclusions that can be drawn from each one.
Not a bad class – but unfortunately it went a long way to show that a USB device was inserted, and when; but not much in to the analysis of how it was used, and the often-asked “what files did the terminated employee take”.
Two things I learned however:
- The Last Written timestamp of the iSerial key value pair is only updated after reboot. In other words, if I insert a thumb drive four times during the same session, the Last Written will NOT change. If I reboot and insert the USB thumb drive, the Last Written does update. I’ll be testing this myself.
The presenter indicated that a LNK file to the VOLUME on the inserted USB device is always created when the USB device is inserted. Regardless of the presence of LNK files showing activity, there is always a LNK file to the volume itself – owned by the user. Another indicator of attribution. I’ll be testing this also.
A suggested improvement to the presentation would have been a 4n6 examination to identify file system and log artifacts to corroborate the suspected attack.