CEIC Day 1

Forensic Tracking of USB Devices

This session will provide methodologies for forensic investigation of USB attached storage devices

This lab walked the student through USB, USBSTOR, MountPoints and MountPoints2, and how XP, Vista and Windows 7 each track the use of USB devices within the Registry. Of specific interest was the analysis of Last Written values and the conclusions that can be drawn from each one.

Not a bad class – but unfortunately it went a long way to show that a USB device was inserted, and when; but not much in to the analysis of how it was used, and the often-asked “what files did the terminated employee take”.

Two things I learned however:

The Last Written timestamp of the iSerial key value pair is only updated after reboot. In other words, if I insert a thumb drive four times during the same session, the Last Written will NOT change. If I reboot and insert the USB thumb drive, the Last Written does update. I’ll be testing this myself.

The presenter indicated that a LNK file to the VOLUME on the inserted USB device is always created when the USB device is inserted. Regardless of the presence of LNK files showing activity, there is always a LNK file to the volume itself – owned by the user. Another indicator of attribution. I’ll be testing this also.

Malware Reloaded

Last year, we hacked away at simple web based malware (Ed: javascript drivebys). This year we will do a refresher of those techniques and tools, as well as cover some more advanced …. and focus on newer attack vectors.

Unfortunately the advanced and newer attack vectors were considered XSS, XSRF, click-jacking (kinda new), SQL injection and flash-actionscript/pdf-javascript (kinda new); so these aren’t exactly new nor advanced. Still it was a good presentation that focused on a custom designed website deliberately created to be bad at input validation and vulnerable to SQL injection. Furthermore, the demonstration of the request forgery was also good.
A suggested improvement to the presentation would have been a 4n6 examination to identify file system and log artifacts to corroborate the suspected attack.