@night 1803 access accessdata active directory admissibility ads aduc aim aix ajax alex levinson alissa torres amcache analysis anjp anssi answer key antiforensics apfs appcompat appcompatflags applocker april fools argparse arman gungor arsenal artifact extractor attachments attacker tools austin automating automation awards aws azure azuread back to basics backstage bam base16 best finds beta bias bitcoin bitlocker blackbag blackberry enterprise server blackhat blacklight blade blanche lagny book book review brute force bsides bulk extractor c2 carved carving case ccdc cd burning ceic cfp challenge champlain chat logs Christmas Christmas eve chrome cit client info cloud forensics command line computer forensics computername conference schedule consulting contest cool tools. tips copy and paste coreanalytics cortana court approved credentials cryptocurrency ctf cti summit cut and paste cyberbox Daily Blog dbir deep freeze defcon defender ata deviceclasses dfa dfir dfir automation dfir exposed dfir in 120 seconds dfir indepth dfir review dfir summit dfir wizard dfrws dfvfs dingo stole my baby directories directory dirty file system disablelastaccess discount download dropbox dvd burning e01 elastic search elcomsoft elevated email recovery email searching emdmgmt Encyclopedia Forensica enfuse eric huber es eshandler esxi evalexperience event log event logs evidence execution exfat ext3 ext4 extended mapi external drives f-response factory access mode false positive fat fde firefox for408 for498 for500 for526 for668 forenisc toolkit forensic 4cast forensic lunch forensic soundness forensic tips fraud free fsutil ftk ftk 2 full disk encryption future gcfe gcp github go bag golden ticket google gsuite guardduty gui hackthebox hal pomeranz hashlib hfs honeypot honeypots how does it work how i use it how to howto IE10 imaging incident response indepth information theft infosec pro guide intern internetusername Interview ios ip theft iphone ir itunes encrypted backups jailbreak jeddah jessica hyde joe sylve journals json jump lists kali kape kevin stokes kibana knowledgec korman labs lance mueller last access last logon lateral movement leanpub libtsk libvshadow linux linux forensics linux-3g live systems lnk files log analysis log2timeline login logs london love notes lznt1 mac mac_apt macmini magnet magnet user summit magnet virtual summit mari degrazia mathias fuchs md viewer memorial day memory forensics metaspike mft mftecmd mhn microsoft milestones mimikatz missing features mlocate mobile devices mojave mount mtp multiboot usb mus mus 2019 mus2019 nccdc netanalysis netbios netflow new book new years eve new years resolutions nominations nosql notifications ntfs ntfsdisablelastaccessupdate nuc nw3c objectid offensive forensics office office 2016 office 365 oleg skilkin osx outlook outlook web access owa packetsled paladin pancake viewer path specification pdf perl persistence pfic plists posix powerforensics powerpoint powershell prefetch psexec py2exe pyewf pyinstaller python pytsk rallysecurity raw images rdp re-c re-creation testing reader project recipes recon recursive hashing recycle bin redteam regipy registry registry explorer registry recon regripper remote research reverse engineering rhel rootless runas sample images san diego SANS sans dfir summit sarah edwards saturday Saturday reading sbe sccm scrap files search server 2008 server 2008 r2 server 2012 server 2019 setmace setupapi sha1 shadowkit shadows shell items shellbags shimcache silv3rhorn skull canyon skype slow down smb solution solution saturday sop speed sponsors sqlite srum ssd stage 1 stories storport sunday funday swgde syscache system t2 takeout telemetry temporary files test kitchen thanksgiving threat intel timeline times timestamps timestomp timezone tool tool testing training transaction logs triage triforce truecrypt tsk tun naung tutorial typed paths typedpaths uac unc understanding unicorn unified logs unread updates usb usb detective usbstor user assist userassist usnjrnl validation vhd video video blog videopost vlive vmug vmware volatility vote vss web2.0 webcast webinar webmail weekend reading what are you missing what did they take what don't we know What I wish I knew whitfield windows windows 10 windows 2008 windows 7 windows forensics windows server winfe winfe lite winscp wmi write head xboot xfs xways yarp yogesh zimmerman zone.identifier

Daily Blog: #8 Winner of the 6/30 Sunday Funday and the answer


Hola Reader,
        I'm on vacation this week but that doesn't mean I'm on vacation from my year long blogging challenge! Yesterday I posted my first Sunday Funday forensic challenge, we have 51 left to do! Thank you to all of those who participated!

As I mentioned in prior posts, it's always interesting to see different perspectives on the same question. Each of the answers varied a bit from the other, and all of them would find the majority of the evidence, but my challenge was for the 'most correct' answer. According to my reading of the comments the most correct was Harlan Carvey!

Congratulations Harlan I will be signing a book and sending it to you, please email me you address to info@g-cpartners.com

Here was Harlan's answer:
"*When was it first plugged in:
The date/time of the device being plugged in and the driver being loaded can be found in the C:\Windows\inf\setupapi.dev.log file.  This information is maintained in local system time.

According to Colin Cree's CEIC2012 presentation, beneath the USBStor key, the LastWrite times for the LogConf and 'Device Parameters' subkeys also provide the first insertion time of the device.

The following key has additional information, as well:
SYSTEM\ControlSet00n\Enum\USBSTOR\{device}\{SN}\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\00000065\00000000

Beneath this key is a value named "Data".  This is a binary value, and contains a FILETIME object.  According to documentation available in MS header files, this is the FirstInstallDate of the device, or when the instance was first installed on the system (http://msdn.microsoft.com/en-us/library/windows/hardware/ff542500(v=vs.85).aspx).  This information is maintained in UTC time format.

Note that the ..\00000064\00000000 key contains a Data value with a FILETIME object, but this refers to when the instance was most recently installed, or the driver updated, on the system.

Further (again, from Colin Cree's presentation), the LastWrite time of the device subkey beneath System\ControlSet00n\Control\DeviceClasses\{10497b1b-ba51-44e5-8318-a65c837b6661}  key may also correlates to the first insertion date of the device.

*What was it last plugged in:
First, locate the volume GUID for the device in question via the MountedDevices key within the System hive.  Parse the date for each volume GUID, looking for the identifier that points to the device in question, or use the RegRipper mountdev.pl plugin. Using this GUID, navigate to the following path with a user's NTUSER.DAT hive:
Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{GUID}

The LastWrite time on this key is understood to indicate when the volume was last available to the user, and when  the device was last plugged into the system.  This information can be retrieved using the mp2.pl RegRipper plugin.

Note: if multiple users are logged into the system, the device will appear in the NTUSER.DAT hive for each of these users.

Parsing the Microsoft-Windows-DriverFrameworks-UserMode/Operational Event Log (via LogParser), looking for event IDs 1003 and 2003 (among others) will provide indications of when a device was last connected to the system (the strings in the event will contain the name/identifier of the device).

*What other times was it plugged in:
Other times that the device was plugged in can be determined by running the mp2.pl RegRipper plugin against the NTUSER.DAT hive files within VSCs.

As above, parsing the Microsoft-Windows-DriverFrameworks-UserMode/Operational Event Log, looking for event IDs 1003 and 2003 (among others) will provide indications of when a device was previously connected to the system.  Be sure to also perform the same query across the Windows Event Log in VSCs.

*What files and directories were copied and/or accessed from the drive

Determining indications of files copied from the drive is difficult.  This requires analysis of not only when the device was connected, but also time stamp analysis of the files themselves.  Shellbag artifacts within the user's USRCLASS.DAT hive file (C:\Users\{user}\AppData\Local\Microsoft\Windows\UsrClass.dat) may provide indications of the folder/subfolder where the files were maintained being accessed, if the user did so via the Explorer shell.

Determining indications of files (documents, etc.) accessed from the drive can be achieved by parsing LNK files in the user's Recent folders (C:\Users\{user}\AppData\Roaming\Microsoft\Windows\Recent\ & C:\Users\{user}\AppData\Roaming\Microsoft\Office\Recent\), as well as *.automaticDestinations-ms Jump Lists (C:\Users\{user}\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations); the easiest way to get the needed information is to parse the DestList stream, using tools such as JumpLister.

Specific to the LNK files (and the LNK streams within the autodest Jump List files), you will find the path to the file, which will give you the drive letter, potentially pointing the external device/drive.  In the case where multiple devices have been connected to the system, you can retrieve the volume serial number (VSN) from the LNK file, and then correlate that to the information within the device subkey name beneath the following key in the Software hive:
Microsoft\Windows NT\CurrentVersion\EMDMgmt

The subkeys beneath this key contain within their names (begin with '_??_USBSTOR#') identifying information about devices.  Locate the device in question, and at the end of the key name, you will find an underscore, followed by a series of integers.  These integers are the VSN in decimal format.

You will also want to look to application-specific MRU lists (ie, Adobe Reader, etc.).  These MRU lists will provide indications of files accessed via that application, and if a document path for the most recently accessed file includes the drive letter to the external device in question, then the key LastWrite time will likely correlate to when the file was accessed.  Otherwise, use NTUSER.DAT hives (where app-specific MRUs are usually maintained) with VSCs to attempt to determine the dates of the MRU files.

If by accessed from, the files were executable files, indications of this type of access may be found via the user's UserAssist subkey data, which can be retrieved via the ReRipper userassist.pl plugin.  Also, indications of executed files may be seen in the user's MUICache key (although it would take analysis of key values within available VSCs to determine an approximate time of execution), as well as within Prefetch files (within the C:\
Windowsw\Prefetch folder) and the AppCompatCache key (retrieved via the RegRipper appcompatcache.pl plugin) within the System hive."
Now for the answer:
Important things to consider for this question was:
a) Windows 7, which means we can't rely on USBStor times any more and volume shadow copies existing
b) I said external device, but I didn't specify which kind
c) I said files and directories accessed as a hint to think about

Keep these in mind for the next challenge, small words make big changes in your analysis. So let's see how I would answer the questions.

  • When was it first plugged in - Almost everyone got this correct, setupapi.dev.log is the most reliable source that I've found for first plug in times.
  • What was it last plugged in - I saw some interesting responses here, most including mountpoints2. What I didn't see, which is my personal favorite, is a mention of the deviceclasses key.  I was very happy to see those of you who mentioned event logs, very cool as that is something I don't rely on normally.
  • What other times was it plugged in - The shadow copies were the key to this, being able to go back and find the prior registries/event logs and look for different dates of last plugin.
  • What files and directories were copied and/or accessed from the drive - Lnk files is correct and two of you mentioned shellbags which was what I was expecting since I specifically said directories.
All in all this was a great bit of fun and somthing I will likely go into deeper depth on and update some old blog posts on dealing with these procedures to reflect the state of the forensic art today.

 A special prize go to Alexi though, he was the only person who mentioned non USB device storage information! Alexi send me your shipping address as well and I'll send you a copy of the new book!

We resume the milestone series tomorrow!
Labels:

Post a Comment

[blogger][disqus][facebook][spotim]

Author Name

Contact Form

Name

Email *

Message *

Powered by Blogger.