Wednesday, August 28, 2013

Daily Blog #66: Understanding the artifacts setupapi.log/setupapi.dev.log

Hello Reader,
            Friday is quickly coming up, have you made plans to spend your lunch hour with us? You can eat while we talk and then type your questions so you can be polite and not talk with your mouth full. You can RSVP for the lunch here, https://plus.google.com/u/0/events/ccu3b7246h9sk16jpg79l2co9mo?authkey=CJ3X6u7G6PjlSw, and email me dcowen@g-cpartners.com if you want to be on it!

            Today is a relatively simple post but I think I need to make sure to address it separately to be complete. Today we are going to talk about the setupapi.log (xp/2000/2003) aka the setupapi.dev.log (vista/7/8).

Windows XP/2000/2003
Starting with Windows 2000 and then continuing with Windows XP and 2003 the underlying installer system (setup) began logging for debug and troubleshooting purposes all of the drivers it loaded for devices. The log was called setupapi.log and located under %systemdrive%\Windows The underlying system and configuration for this logging is detailed on the following MSDN page:
http://msdn.microsoft.com/en-us/library/windows/hardware/ff550882(v=vs.85).aspx

By default the logging level will be:
0x00000020
Log errors and warnings.


So you will capture in this logfile all drivers and devices loaded onto the system with timestamps and which drivers were loaded. This is important to determine:
  • When external devices were plugged in for the first time
  • When a malicious driver was loaded onto a system
  • What drivers were loaded for an unknown device to determine its functionality
  • Proving a device was successfully installed and accessible

If you want to be exact in your interpretation of each logged line refer here:

Windows Vista/7/8
The setup service log was split into two logs in Vista moving forward. There are now two logs both now in %systemdrive%\windows\inf:
setupAPI.dev.log - Device and driver installations 
setupapi.app.log - Application installations

The MSDN specification for these two logs can be found here:

The device log is similar to the prior version but the application log is new and is of interest. In order to interpret the setupapi.app.log you need to refer to the following device install codes:

I want to do some more research into this log as I've finding some interesting entries relating to my use of a network scanner. I'll make a new blog just about this file after we've done some testing.

The same type of data we talked about in the XP and after logs can be found within these logs as well. If you have not been including this data in your analysis make sure to do so! There are several factors about the setupapi logs that are important in your examination:
  • They are created by default and cannot be turned off without a registry change 
  • They do not delete themselves so you should have all devices every plugged in
  • In an OS upgrade they would remain and indicate when the new OS was installed
  • Many system cleaners focus on registry keys and miss the data located here
  • It's the only exact source of first plug in times
  • If the OS is reinstalled the log format is carvable
Tomorrow I'll see if there are any other artifacts I need to include before we talk about stitching it all together.