With the proliferation of cheap external USB devices, it is becoming incumbent on examiners to determine if any USB attached storage has connected to the computer.
The cases are varied, corporate, civil, or criminal. Regardless, knowing that an external USB attached storage device has been connected to the computer; and more importantly who connected the device, can have a huge impact on your examinations.
It’s All Here
Most forensic tools will show USB connections. BlackLight displays connected USB artifacts under Actionable Intelligence ➔ Device Connections.
Figure 1: Connected devices in BlackLight (Actionable Intelligence ➔ Device Connections)
But the question is, how does the magic happen? The answer lies in several registry keys and a Windows system file. So roll up your sleeves and prepare to get dirty.
But first a word of caution. In a perfect world, this would be easy. All USB devices would register with Windows, and would have unique serial numbers. This of course is not a perfect world, but a forensics world, where things don’t always go as planned.
We are going to look at the following device:
Friendly Name: Testing
Serial Number: 1492806372260023
USB Store (System /ControlSet##/Enum/USBStore)
This registry entry tracks USB storage devices that have been connected to the computer. This is where Windows will record the manufacturer information along with the serial number as read from the device.
Figure 2: Viewing USBStore in registry view
Determine The Volume Name
The volume name of the attached USB device may be found by searching for the USB device manufacturer name and serial number in the System\ControlSet##\WpdBusEnumRoot\UMB.
Figure 3: Showing “FriendlyName” of the device in System\ControlSet##\WpdBusEnumRoot\UMB
Determine The Mount Point (Drive Letter)
When a volume is mounted to a Windows computer, it is assigned a drive letter. The volumes that have been mounted and the assigned drive letters are stored in the following registry entry:
Locating the USB drive’s manufacturer name and serial number in this registry key may provide examiners with the drive letter of the volume.
Figure 4: Locating USB drive in /System/MountedDevices
Beyond the mount point, this registry entry also lists the GUID for this volume, which is needed to determine which user connected this volume to the computer.
Now a point of caution, Windows only tracks the last device that has been assigned a particular drive letter (D, E, F, etc.). Therefore the USB drive in question, may not have a recorded drive letter.
Determine When The Device Was First Connected
When any USB device is connected to a Windows system, drivers are required to be installed to allow Windows to interact with the device. These records are found in:
Searching though this log for the serial number of the device, will find entries relating to the installation of the driver for this device.
Figure 5: Searching the setupapi.dev.log for the serial number of USB drive
It should be noted that the dates and times listed in this log are in local time (using the offset applied to the computer at the time of entry). BlackLight converts these dates and times in Actionable Intelligence ➔ Device Connections to UTC for consistency.
Determine Which User Mounted The USB Drive
Obviously if there is only one user on the computer, this may not be an issue. But, if there are multiple users on a computer, it is essential to know who attached the USB drive to the computer.
To do this, examine the following user registry key:
Volumes mounted by each user, are listed by GUID that was located in the MountDevices registry key.
Figure 6: Volume GUID shown in \NTUSER\<Username>\Software\Microsoft\Windows\Explorer\MountPoint2
The Last Write Time listed is the last time this device was connected (by that user).
Putting all this together we can clarify the picture of who, what, and where, as it pertains to USB drives. Thankfully, we don’t have to do this for all USB entries.
To learn more on Windows Essential Forensics, view the rest of our blog series below:
- An Overview: Windows Volume Shadow Copies
- Leveraging Windows Event Logs in Examinations
- Examining the Windows 10 Recycle Bin
- Windows 10 Jump List Forensics