@night 1803 access accessdata active directory admissibility ads aduc aim aix ajax alissa torres amcache analysis anjp anssi answer key antiforensics apfs appcompat appcompatflags applocker april fools argparse arman gungor arsenal artifact extractor attachments attacker tools austin automating automation awards aws azure azuread back to basics backstage base16 best finds beta bias bitcoin bitlocker blackbag blackberry enterprise server blackhat blacklight blade blanche lagny book book review brute force bsides bulk extractor c2 carved carving case ccdc cd burning ceic cfp challenge champlain chat logs Christmas Christmas eve chrome cit client info cloud forensics command line computer forensics computername conference schedule consulting contest cool tools. tips copy and paste coreanalytics cortana court approved credentials cryptocurrency ctf cti summit cut and paste cyberbox Daily Blog dbir deep freeze defcon defender ata deviceclasses dfa dfir dfir automation dfir exposed dfir in 120 seconds dfir indepth dfir review dfir summit dfir wizard dfrws dfvfs dingo stole my baby directories directory dirty file system disablelastaccess discount download dropbox dvd burning e01 elastic search elcomsoft elevated email recovery email searching emdmgmt Encyclopedia Forensica enfuse eric huber es eshandler esxi evalexperience event log event logs evidence execution exfat ext3 ext4 extended mapi external drives f-response factory access mode false positive fat fde firefox for408 for498 for500 for526 for668 forenisc toolkit forensic 4cast forensic lunch forensic soundness forensic tips fraud free fsutil ftk ftk 2 full disk encryption future gcfe gcp github go bag golden ticket google gsuite guardduty gui hackthebox hal pomeranz hashlib hfs honeypot honeypots how does it work how i use it how to howto IE10 imaging incident response indepth information theft infosec pro guide intern internetusername Interview ios ip theft iphone ir itunes encrypted backups jailbreak jeddah jessica hyde joe sylve journals json jump lists kali kape kevin stokes kibana knowledgec korman labs lance mueller last access last logon leanpub libtsk libvshadow linux linux-3g live systems lnk files log analysis log2timeline login logs london love notes lznt1 mac mac_apt macmini magnet magnet user summit mathias fuchs md viewer memorial day memory forensics metaspike mft mftecmd mhn microsoft milestones mimikatz missing features mlocate mobile devices mojave mount mtp multiboot usb mus mus 2019 mus2019 nccdc netanalysis netbios netflow new book new years eve new years resolutions nominations nosql notifications ntfs ntfsdisablelastaccessupdate nuc nw3c objectid offensive forensics office office 2016 office 365 oleg skilkin osx outlook outlook web access owa packetsled paladin path specification pdf perl persistence pfic plists posix powerforensics powerpoint powershell prefetch psexec py2exe pyewf pyinstaller python pytsk rallysecurity raw images rdp re-c re-creation testing reader project recipes recon recursive hashing recycle bin redteam regipy registry registry explorer registry recon regripper remote research reverse engineering rhel rootless runas sample images san diego SANS sans dfir summit saturday Saturday reading sbe sccm scrap files search server 2008 server 2008 r2 server 2012 server 2019 setmace setupapi sha1 shadowkit shadows shell items shellbags shimcache silv3rhorn skull canyon skype slow down smb solution solution saturday sop speed sponsors sqlite srum ssd stage 1 stories storport sunday funday swgde syscache system t2 takeout telemetry temporary files test kitchen thanksgiving threat intel timeline times timestamps timestomp timezone tool tool testing training transaction logs triage triforce truecrypt tsk tun naung tutorial typed paths typedpaths uac unc understanding unicorn unified logs unread usb usb detective usbstor user assist userassist usnjrnl validation vhd video video blog videopost vlive vmug vmware volatility vote vss web2.0 webcast webinar webmail weekend reading what are you missing what did they take what don't we know What I wish I knew whitfield windows windows 10 windows 2008 windows 7 windows forensics windows server winfe winfe lite wmi write head xboot xfs xways yarp yogesh zimmerman zone.identifier

Daily Blog #65: Understanding the artifacts EMDMgmt

Howdy Reader,
            Another good Sunday Funday come and gone. I want to make these contests fun and accessible for you and for those vendors who have graciously provided prizes worth your time and effort! Have an idea of how to make Sunday Funday better? Comment here or email me dcowen@g-cpartners.com. Also remember that this Friday we will be doing another Forensic Lunch and we will be showing the first alpha of our Plist parsing tool. You can register for the Forensic Lunch here to be notified when it begins and any changes and ask questions! If you want to be on the video chat for Forensic Lunch and have something to talk about email me dcowen@g-cpartners.com!

Today we are going back to the understanding series before I get more side tracked and wanting to write another topic. We've covered 6 artifacts so far in stitching together what it takes to really show usage but we are not done yet! Now we need to talk about a registry key first introduced in Windows Vista called EMDMgmt. Harlan has talked about it here: http://windowsir.blogspot.com/2013/04/plugin-emdmgmt.html and earlier in his blog as well. EMDMgmt or External Memory Device Management is part of the 'Readyboost' service first provided in Vista. Whether Readyboost is enabled or not the EMDMgmt key will be populated with all available external storage devices where it could write Readyboost data. In order to make sure it can uniquely identify a volume it includes both the driver identification and volume serial number of the attached device.

This is important for us in our investigations because it is the only key outside of Mountpoints to be able to link which external device found in the system registry corresponds to which volume serial number/volume name stored in the LNK files/Jump lists. To quote the Microsoft technet article found here:

ReadyBoost consists of a service implemented in %SystemRoot%\System32\Emdmgmt.dll that runs in a Service Host process, and a volume filter driver, %SystemRoot%\System32\Drivers\Ecache.sys. (Emd is short for External Memory Device, the working name for ReadyBoost during its development.) When you insert a flash device like a USB key into a system, the ReadyBoost service looks at the device to determine its performance characteristics and stores the results of its test in HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\Currentversion\Emdmgmt, seen in Figure 1.
Now many times you will see USB mentioned here but its not just USB devices you will find in this key. I find eSATA, USB, Firewire, local disks, anything non system drive storage that is plugged in will be stored here with the driver identification, volume label and volume serial number. This can be very helpful when you are trying to understand why a device you know was accessed does not appear in the USBStor. There are times when either a) a device isn't USB b) the driver loads a hybrid driver (cdrom/storage) and the drive will be appear as a local disk instead.

The one problem for analysts is that Readyboost is disabled by default on SSD drives on at least Windows 7 (part of the Windows 7 optimization for SSDs). This can lead to a lot of false positives of anti-forensics or spoliation from an inexperienced examiner. So you are back to timeline analysis to determine which drives were plugged in at what time if you have a SSD user.

Now if the system is Vista or 7 (Have not checked 8) and your suspect does not have a SATA drive this key is created by default. If it does not exist check to see if the readyboost service was disabled (some users complain about its performance) but that disable would have to have occurred before the first external storage device was plugged in. Otherwise you have a good indication of anti-forensics if this is missing.

EMDMgmt is something I've learned to rely on and tools like Woanware's USBDeviceForensics and TZworks USBStor Storage Parser relies on to uniquely match drives. If you haven't looked at it before I would encourage you to do so, it will make your life much easier!

Tomorrow we continue to wrap up the current understanding series!

Post a Comment

[blogger][disqus][facebook][spotim]

Author Name

Contact Form

Name

Email *

Message *

Powered by Blogger.