Daily Blog #193: Let's talk about MTP Part 2

Let's talk about MTP Part 2 by David Cowen - Hacking Exposed Computer Forensics Blog

Hello Reader
            In Part 1 of this series we talked about why you should care about MTP and the large amount of devices that will not be utilizing it that run Android 3.0 and greater. Today let's look at the artifacts that the attachment of an MTP device leaves behind. I went to Fry's Electronics today and purchased a ZTE Prelude / AT&T Avail 2 android phone that runs Android 4.1 for my testing. 

I attached the phone, placed it in MTP mode and then explored the phone through explorer and created a directory with a file in it. This is the result of the attachment:

System Registry



  • Last write time 1/2/14 22:31:30 UTC
  • Last write time 1/2/14 22:31:39 UTC

When I first plugged in the phone a screen popped up on the display defaulting to installing a driver on the PC for syncing. I think this is what caused the first entry to come up as a Linux Cd Gadget. When i then switched it to MTP mode it created the second entry for the MTP device.

The first thing to note here is that the CDROM entry has an associated USBSTOR listing, while the MTP mode does not. MTP mode is not a USB Mass Storage driver and these devices will not be populated into the USBSTOR key.


SYSTEM\ControlSet001\Enum\USB\VID_19D2&PID_0307\P752A15\Device Parameters

From the value Icons we can see the device is asocciated with wpdshext.dll which is the shell extension that allows me to use the MTP device as if it was a locally attached disk.

From SYSTEM\ControlSet001\Enum\USB\VID_19D2&PID_0307\P752A15\Device Parameters\WUDF we can see the driver is the wpdmtpdriver
You'll also find entries under WpdBusEnumRoot as this is a Windows Portable Device, but I didn't find anything interesting in there yet.



Under the explorer key you'll find he autoplay handler for the device:


          Last written time 1/2/14 22:32:01 UTC

This is nice because it lets us know what user was logged in when the device was attached. We need this since MountPoint2 will not be populated with a drive letter as none is assigned.

This value was created when I put the phone in MTP mode and Windows Autoplay asked me how to deal with it, I chose open to view files.

Next in we'll look at the shellbags entries my browsing made and what other artifacts exist from access.

Also Read: 

Post a Comment