Daily Blog: #8 Winner of the 6/30 Sunday Funday and the Answer

Sunday Funday and the Answer

Hola Reader,
        I'm on vacation this week but that doesn't mean I'm on vacation from my year long blogging challenge! Yesterday I posted my first Sunday Funday forensic challenge, we have 51 left to do! Thank you to all of those who participated!

As I mentioned in prior posts, it's always interesting to see different perspectives on the same question. Each of the answers varied a bit from the other, and all of them would find the majority of the evidence, but my challenge was for the 'most correct' answer. According to my reading of the comments the most correct was Harlan Carvey!

Congratulations Harlan I will be signing a book and sending it to you, please email me you address to info@g-cpartners.com

Here was Harlan's answer:
"*When was it first plugged in:
The date/time of the device being plugged in and the driver being loaded can be found in the C:\Windows\inf\setupapi.dev.log file.  This information is maintained in local system time.

According to Colin Cree's CEIC2012 presentation, beneath the USBStor key, the LastWrite times for the LogConf and 'Device Parameters' subkeys also provide the first insertion time of the device.

The following key has additional information, as well:

Beneath this key is a value named "Data".  This is a binary value, and contains a FILETIME object.  According to documentation available in MS header files, this is the FirstInstallDate of the device, or when the instance was first installed on the system (http://msdn.microsoft.com/en-us/library/windows/hardware/ff542500(v=vs.85).aspx).  This information is maintained in UTC time format.

Note that the ..\00000064\00000000 key contains a Data value with a FILETIME object, but this refers to when the instance was most recently installed, or the driver updated, on the system.

Further (again, from Colin Cree's presentation), the LastWrite time of the device subkey beneath System\ControlSet00n\Control\DeviceClasses\{10497b1b-ba51-44e5-8318-a65c837b6661}  key may also correlates to the first insertion date of the device.

*What was it last plugged in:
First, locate the volume GUID for the device in question via the MountedDevices key within the System hive.  Parse the date for each volume GUID, looking for the identifier that points to the device in question, or use the RegRipper mountdev.pl plugin. Using this GUID, navigate to the following path with a user's NTUSER.DAT hive:

The LastWrite time on this key is understood to indicate when the volume was last available to the user, and when  the device was last plugged into the system.  This information can be retrieved using the mp2.pl RegRipper plugin.

Note: if multiple users are logged into the system, the device will appear in the NTUSER.DAT hive for each of these users.

Parsing the Microsoft-Windows-DriverFrameworks-UserMode/Operational Event Log (via LogParser), looking for event IDs 1003 and 2003 (among others) will provide indications of when a device was last connected to the system (the strings in the event will contain the name/identifier of the device).

*What other times was it plugged in:
Other times that the device was plugged in can be determined by running the mp2.pl RegRipper plugin against the NTUSER.DAT hive files within VSCs.

As above, parsing the Microsoft-Windows-DriverFrameworks-UserMode/Operational Event Log, looking for event IDs 1003 and 2003 (among others) will provide indications of when a device was previously connected to the system.  Be sure to also perform the same query across the Windows Event Log in VSCs.

*What files and directories were copied and/or accessed from the drive

Determining indications of files copied from the drive is difficult.  This requires analysis of not only when the device was connected, but also time stamp analysis of the files themselves.  Shellbag artifacts within the user's USRCLASS.DAT hive file (C:\Users\{user}\AppData\Local\Microsoft\Windows\UsrClass.dat) may provide indications of the folder/subfolder where the files were maintained being accessed, if the user did so via the Explorer shell.

Determining indications of files (documents, etc.) accessed from the drive can be achieved by parsing LNK files in the user's Recent folders (C:\Users\{user}\AppData\Roaming\Microsoft\Windows\Recent\ & C:\Users\{user}\AppData\Roaming\Microsoft\Office\Recent\), as well as *.automaticDestinations-ms Jump Lists (C:\Users\{user}\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations); the easiest way to get the needed information is to parse the DestList stream, using tools such as JumpLister.

Specific to the LNK files (and the LNK streams within the autodest Jump List files), you will find the path to the file, which will give you the drive letter, potentially pointing the external device/drive.  In the case where multiple devices have been connected to the system, you can retrieve the volume serial number (VSN) from the LNK file, and then correlate that to the information within the device subkey name beneath the following key in the Software hive:
Microsoft\Windows NT\CurrentVersion\EMDMgmt

The subkeys beneath this key contain within their names (begin with '_??_USBSTOR#') identifying information about devices.  Locate the device in question, and at the end of the key name, you will find an underscore, followed by a series of integers.  These integers are the VSN in decimal format.

You will also want to look to application-specific MRU lists (ie, Adobe Reader, etc.).  These MRU lists will provide indications of files accessed via that application, and if a document path for the most recently accessed file includes the drive letter to the external device in question, then the key LastWrite time will likely correlate to when the file was accessed.  Otherwise, use NTUSER.DAT hives (where app-specific MRUs are usually maintained) with VSCs to attempt to determine the dates of the MRU files.

If by accessed from, the files were executable files, indications of this type of access may be found via the user's UserAssist subkey data, which can be retrieved via the ReRipper userassist.pl plugin.  Also, indications of executed files may be seen in the user's MUICache key (although it would take analysis of key values within available VSCs to determine an approximate time of execution), as well as within Prefetch files (within the C:\
Windowsw\Prefetch folder) and the AppCompatCache key (retrieved via the RegRipper appcompatcache.pl plugin) within the System hive."
Now for the answer:
Important things to consider for this question was:
a) Windows 7, which means we can't rely on USBStor times any more and volume shadow copies existing
b) I said external device, but I didn't specify which kind
c) I said files and directories accessed as a hint to think about

Keep these in mind for the next challenge, small words make big changes in your analysis. So let's see how I would answer the questions.

  • When was it first plugged in - Almost everyone got this correct, setupapi.dev.log is the most reliable source that I've found for first plug in times.
  • What was it last plugged in - I saw some interesting responses here, most including mountpoints2. What I didn't see, which is my personal favorite, is a mention of the deviceclasses key.  I was very happy to see those of you who mentioned event logs, very cool as that is something I don't rely on normally.
  • What other times was it plugged in - The shadow copies were the key to this, being able to go back and find the prior registries/event logs and look for different dates of last plugin.
  • What files and directories were copied and/or accessed from the drive - Lnk files is correct and two of you mentioned shellbags which was what I was expecting since I specifically said directories.
All in all this was a great bit of fun and somthing I will likely go into deeper depth on and update some old blog posts on dealing with these procedures to reflect the state of the forensic art today.

 A special prize go to Alexi though, he was the only person who mentioned non USB device storage information! Alexi send me your shipping address as well and I'll send you a copy of the new book!

We resume the milestone series tomorrow!

Also Read: Daily Blog: #7 

Post a Comment