Analyzing USB Entries in Windows 7

With the proliferation of cheap external USB devices, it is becoming incumbent on examiners to determine if any USB attached storage has connected to the computer.

The cases are varied, corporate, civil, or criminal.  Regardless, knowing that an external USB attached storage device has been connected to the computer; and more importantly who connected the device, can have a huge impact on your examinations.

It’s All Here

Most forensic tools will show USB connections.  BlackLight displays connected USB artifacts under Actionable Intelligence ➔ Device Connections.

Connected devices in BlackLight

Figure 1:  Connected devices in BlackLight (Actionable Intelligence ➔ Device Connections)

But the question is, how does the magic happen? The answer lies in several registry keys and a Windows system file.  So roll up your sleeves and prepare to get dirty.

But first a word of caution.  In a perfect world, this would be easy.  All USB devices would register with Windows, and would have unique serial numbers.  This of course is not a perfect world, but a forensics world, where things don’t always go as planned.

Our Scenario

We are going to look at the following device:

User: Josh
Friendly Name: Testing
Serial Number: 1492806372260023
Make: AData

USB Store (System /ControlSet##/Enum/USBStore)

This registry entry tracks USB storage devices that have been connected to the computer.  This is where Windows will record the manufacturer information along with the serial number as read from the device.

Viewing USBStore in registry view

Figure 2: Viewing USBStore in registry view

Determine The Volume Name

The volume name of the attached USB device may be found by searching for the USB device manufacturer name and serial number in the System\ControlSet##\WpdBusEnumRoot\UMB.

Showing “FriendlyName” of the device

Figure 3: Showing “FriendlyName” of the device in System\ControlSet##\WpdBusEnumRoot\UMB

Determine The Mount Point (Drive Letter)

When a volume is mounted to a Windows computer, it is assigned a drive letter.  The volumes that have been mounted and the assigned drive letters are stored in the following registry entry:

\System\MountedDevices

Locating the USB drive’s manufacturer name and serial number in this registry key may provide examiners with the drive letter of the volume.

Locating USB drive in Mounted Devices

Figure 4: Locating USB drive in /System/MountedDevices

Beyond the mount point, this registry entry also lists the GUID for this volume, which is needed to determine which user connected this volume to the computer.

GUID:  4fc1d384-d99c-11e5-821c-8ed5942a608e

Now a point of caution, Windows only tracks the last device that has been assigned a particular drive letter (D, E, F, etc.).  Therefore the USB drive in question, may not have a recorded drive letter.

Determine When The Device Was First Connected

When any USB device is connected to a Windows system, drivers are required to be installed to allow Windows to interact with the device.  These records are found in:

\Windows\inf\setupapi.dev.log.

Searching though this log for the serial number of the device, will find entries relating to the installation of the driver for this device.

Searching for the serial number of USB Drive

Figure 5:  Searching the setupapi.dev.log for the serial number of USB drive

It should be noted that the dates and times listed in this log are in local time (using the offset applied to the computer at the time of entry).  BlackLight converts these dates and times in Actionable Intelligence ➔ Device Connections to UTC for consistency.

Determine Which User Mounted The USB Drive

Obviously if there is only one user on the computer, this may not be an issue.  But, if there are multiple users on a computer, it is essential to know who attached the USB drive to the computer.

To do this, examine the following user registry key:

\NTUSER\<username>\Software\Microsoft\Windows\Explorer\MountPoints2

Volumes mounted by each user, are listed by GUID that was located in the MountDevices registry key.

Volume GUID shown in Mount Point 2

Figure 6: Volume GUID shown in \NTUSER\<Username>\Software\Microsoft\Windows\Explorer\MountPoint2

The Last Write Time listed is the last time this device was connected (by that user).

Putting all this together we can clarify the picture of who, what, and where, as it pertains to USB drives. Thankfully, we don’t have to do this for all USB entries.

 

To learn more on Windows Essential Forensics, view the rest of our blog series below:



Leave a Reply

Sorry, you must be logged in to post a comment.