Daily Blog #88: Solving the USB Device connections for Sunday Funday 9/15/13

Hello Reader,
            I thought it would be helpful for many of you who want to get some practice to walk through how to solve the image we used for last weeks Sunday Funday. This image is actually based on chapter 13 of the new book 'Infosec pro guide to computer forensics' but you don't need to buy it to learn how to do forensics. In this post I'm going to start with how to map out with USB devices were connected to the system. I am going to do this the easier way by exporting the right artifacts and then loading it into Woanware's USB Device Forensics after exporting them from the vhd image with FTK Imager.

First export the System and Software registry keys found under \windows\system32\config
The system key holds the USBStor and DeviceClasses keys while the Software key holds the EMDMGMT key both of which we've talked about in prior posts.

Next export the setupapi.dev.log from the \windows\inf directory as this is a windows 7 system in order to get the most accurate first plugin time.

Now we export the NTUSER.DAT from the suspects home folder, \users\suspect

With all 4 artifacts exported we can load them up in Woanware's USB DeviceForensics tool
 Once parsed I like to export the data shown as a CSV
 And finally load it into Excel for easy viewing
Cut off from this screenshot is all the date and times from the registry keys parsed by the tool.

There you go that is my easy go to way of getting external devices into an easily reviewable and with some good color coding an easy deliverable to those who are requesting the information.

Tomorrow is another forensic lunch and then we will continue to show to examine this image next week!

Post a Comment