Wednesday, April 19, 2017

Windows, Now with built in anti forensics!

Hello Reader,

Update: TZWorks updated USP in November of 2016 and it now not only shows these removed devices but if you pass in the -show_other_times flag it will tell you when the devices were removed. Very cool!

             If you've been using a tool to parse external storage device storage devices that relies on USB, USBStor, WPDBUSENUM or STORAGE as its primary key for fining all external devices you might be being tricked by Windows. Windows has been doing something new (to me at least) that I first observed in the Suncoast v Peter Scoppa et al case (Case No. 4:13-cv-03125) back in 2015 where Windows on its own and without user request is removing unused device entries from the registry on a regular basis driven by Task Scheduler.

This behavior that I've observed in my case work started in Windows 8.1 and I've confirmed it in Windows 10. A PDF I found that references this found here states he has seen it in Windows 7 but I can't confirm this behavior. The behavior is initiated from the Plug and Play scheduled task named 'Plug and Play Cleanup' as seen in the following screenshot:



I've found very few people talking about this online and even fewer DFIR people who seem to be aware, I know we are going to add it to the SANS windows forensics course. According to this post on MSDN the scheduled task will remove from the most common device storage registry keys all devices that haven't been plugged in for 30 days. When this removal happens like all other PnP installs and uninstalls it will be logged in setupapi.dev.log and here is an example of such an entry:

">>>  [Device and Driver Disk Cleanup Handler]
>>>  Section start 2017/04/08 18:54:37.650
      cmd: taskhostw.exe
     set: Searching for not-recently detected devices that may be removed from the system.
     set: Devices will be removed during this pass.
     set: Device STORAGE\VOLUME\_??_USBSTOR#DISK&VEN_&PROD_&REV_PMAP#07075B8D9E409826&0#{53F56307-B6BF-11D0-94F2-00A0C91EFB8B} will be removed.
     set: Device STORAGE\VOLUME\_??_USBSTOR#DISK&VEN_&PROD_&REV_PMAP#07075B8D9E409826&0#{53F56307-B6BF-11D0-94F2-00A0C91EFB8B} was removed.
     set: Device SWD\WPDBUSENUM\_??_USBSTOR#DISK&VEN_&PROD_&REV_PMAP#07075B8D9E409826&0#{53F56307-B6BF-11D0-94F2-00A0C91EFB8B} will be removed.
     set: Device SWD\WPDBUSENUM\_??_USBSTOR#DISK&VEN_&PROD_&REV_PMAP#07075B8D9E409826&0#{53F56307-B6BF-11D0-94F2-00A0C91EFB8B} was removed.
     set: Device STORAGE\VOLUMESNAPSHOT\HARDDISKVOLUMESNAPSHOT13 will be removed.
     set: Device STORAGE\VOLUMESNAPSHOT\HARDDISKVOLUMESNAPSHOT13 was removed.
     set: Device STORAGE\VOLUMESNAPSHOT\HARDDISKVOLUMESNAPSHOT14 will be removed.
     set: Device STORAGE\VOLUMESNAPSHOT\HARDDISKVOLUMESNAPSHOT14 was removed.
     set: Device STORAGE\VOLUMESNAPSHOT\HARDDISKVOLUMESNAPSHOT15 will be removed.
     set: Device STORAGE\VOLUMESNAPSHOT\HARDDISKVOLUMESNAPSHOT15 was removed.
     set: Device STORAGE\VOLUMESNAPSHOT\HARDDISKVOLUMESNAPSHOT16 will be removed.
     set: Device STORAGE\VOLUMESNAPSHOT\HARDDISKVOLUMESNAPSHOT16 was removed.
     set: Device STORAGE\VOLUMESNAPSHOT\HARDDISKVOLUMESNAPSHOT17 will be removed.
     set: Device STORAGE\VOLUMESNAPSHOT\HARDDISKVOLUMESNAPSHOT17 was removed.
     set: Device STORAGE\VOLUMESNAPSHOT\HARDDISKVOLUMESNAPSHOT18 will be removed.
     set: Device STORAGE\VOLUMESNAPSHOT\HARDDISKVOLUMESNAPSHOT18 was removed.
     set: Device STORAGE\VOLUMESNAPSHOT\HARDDISKVOLUMESNAPSHOT19 will be removed.
     set: Device STORAGE\VOLUMESNAPSHOT\HARDDISKVOLUMESNAPSHOT19 was removed.
     set: Device STORAGE\VOLUMESNAPSHOT\HARDDISKVOLUMESNAPSHOT20 will be removed.
     set: Device STORAGE\VOLUMESNAPSHOT\HARDDISKVOLUMESNAPSHOT20 was removed.
     set: Device STORAGE\VOLUMESNAPSHOT\HARDDISKVOLUMESNAPSHOT21 will be removed.
     set: Device STORAGE\VOLUMESNAPSHOT\HARDDISKVOLUMESNAPSHOT21 was removed.
     set: Device STORAGE\VOLUMESNAPSHOT\HARDDISKVOLUMESNAPSHOT22 will be removed.
     set: Device STORAGE\VOLUMESNAPSHOT\HARDDISKVOLUMESNAPSHOT22 was removed.
     set: Device STORAGE\VOLUMESNAPSHOT\HARDDISKVOLUMESNAPSHOT23 will be removed.
     set: Device STORAGE\VOLUMESNAPSHOT\HARDDISKVOLUMESNAPSHOT23 was removed.
     set: Device STORAGE\VOLUMESNAPSHOT\HARDDISKVOLUMESNAPSHOT24 will be removed.
     set: Device STORAGE\VOLUMESNAPSHOT\HARDDISKVOLUMESNAPSHOT24 was removed.
     set: Device STORAGE\VOLUMESNAPSHOT\HARDDISKVOLUMESNAPSHOT25 will be removed.
     set: Device STORAGE\VOLUMESNAPSHOT\HARDDISKVOLUMESNAPSHOT25 was removed.
     set: Device STORAGE\VOLUMESNAPSHOT\HARDDISKVOLUMESNAPSHOT26 will be removed.
     set: Device STORAGE\VOLUMESNAPSHOT\HARDDISKVOLUMESNAPSHOT26 was removed.
     set: Device STORAGE\VOLUMESNAPSHOT\HARDDISKVOLUMESNAPSHOT27 will be removed.
     set: Device STORAGE\VOLUMESNAPSHOT\HARDDISKVOLUMESNAPSHOT27 was removed.
     set: Device USB\VID_13FE&PID_5200\07075B8D9E409826 will be removed.
     set: Device USB\VID_13FE&PID_5200\07075B8D9E409826 was removed.
     set: Device STORAGE\VOLUME\_??_USBSTOR#DISK&VEN_&PROD_&REV_PMAP#070A6C62772BB880&0#{53F56307-B6BF-11D0-94F2-00A0C91EFB8B} will be removed.
     set: Device STORAGE\VOLUME\_??_USBSTOR#DISK&VEN_&PROD_&REV_PMAP#070A6C62772BB880&0#{53F56307-B6BF-11D0-94F2-00A0C91EFB8B} was removed.
     set: Device USBSTOR\DISK&VEN_&PROD_&REV_PMAP\070A6C62772BB880&0 will be removed.
     set: Device USBSTOR\DISK&VEN_&PROD_&REV_PMAP\070A6C62772BB880&0 was removed.
     set: Device USB\VID_13FE&PID_5500\070A6C62772BB880 will be removed.
     set: Device USB\VID_13FE&PID_5500\070A6C62772BB880 was removed.
     set: Device SWD\WPDBUSENUM\_??_USBSTOR#DISK&VEN_&PROD_&REV_PMAP#070A6C62772BB880&0#{53F56307-B6BF-11D0-94F2-00A0C91EFB8B} will be removed.
     set: Device SWD\WPDBUSENUM\_??_USBSTOR#DISK&VEN_&PROD_&REV_PMAP#070A6C62772BB880&0#{53F56307-B6BF-11D0-94F2-00A0C91EFB8B} was removed.
     set: Device USBSTOR\DISK&VEN_&PROD_&REV_PMAP\07075B8D9E409826&0 will be removed.
     set: Device USBSTOR\DISK&VEN_&PROD_&REV_PMAP\07075B8D9E409826&0 was removed.
     set: Devices removed: 23
     set: Searching for unused drivers that may be removed from the system.
     set: Drivers will be removed during this pass.
     set: Recovery Timestamp: 11/11/2016 19:51:27:0391.
     set: Driver packages removed: 0
     set: Total size on disk: 0
<<<  Section end 2017/04/08 18:54:41.415
<<<  [Exit status: SUCCESS]"

Followed one of these for each device identified:
>>>  [Delete Device - STORAGE\VOLUME\_??_USBSTOR#DISK&VEN_&PROD_&REV_PMAP#07075B8D9E409826&0#{53F56307-B6BF-11D0-94F2-00A0C91EFB8B}]
>>>  Section start 2017/04/08 18:54:37.666
      cmd: taskhostw.exe
<<<  Section end 2017/04/08 18:54:37.704
<<<  [Exit status: SUCCESS]

Now the setupapi.dev.log isn't the only place these devices will remain. You will also find them in the following registry keys in my testing:
System\Setup\Upgrade\PnP\CurrentControlSet\Control\DeviceMigration\Classes\
System\Setup\Upgrade\PnP\CurrentControlSet\Control\DeviceMigration\Devices\SWD\WPDBUSENUM
System\Setup\Upgrade\PnP\CurrentControlSet\Control\DeviceMigration\Devices\USBSTOR
System\MountedDevices\
NTUSER,DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\

Note that these removals do not effect the shell items artifacts (Lnk, Jumplist, Shellbags) that would be pointing to files accessed from these devices, just the common registry entries that record their existence. 

So why is this important? If you are being asked to review external devices accessed in a Windows 8.1 or newer system you will have to take additional steps to ensure that you account for any device that hasn't been plugged in for 30 days. In my testing the Woanware USBDeviceForensics tool will miss these devices in their reports.

So make sure to check! It's on by default and there could be a lot of devices you miss.