Skip to main content
HashnodeMithun Dev

Command Palette

Search for a command to run...

Tracing the Digital Footprints - External Device/USB Usage

Updated
5 min read
Tracing the Digital Footprints - External Device/USB Usage
M
Mithun Dev
Part of seriesWindows Forensics

In the fast-paced world of digital forensics, understanding the interaction between a system and external devices, especially USB drives, is paramount. These devices are frequently used for data transfer, malware introduction, or unauthorized exfiltration. By meticulously examining Windows artifacts related to "External Device/USB Usage," investigators can uncover crucial details about when a USB was connected, what type it was, and even which user operated it. This blog post explores key artifacts that illuminate these critical interactions.

Key Identification

Identifying the specific USB devices that have been connected to a machine is a foundational step in any forensic investigation.

  • Description: This artifact helps to track USB devices plugged into a machine.

  • Location: The relevant information can be found in the SYSTEM Hive, specifically at SYSTEM\CurrentControlSet\Enum\USBSTOR and SYSTEM\CurrentControlSet\Enum\USB.

  • Interpretation: This allows investigators to identify the vendor, product, and version of a USB device. It also helps to identify a unique USB device plugged into the machine. Furthermore, it can determine the time a device was plugged into the machine. A notable detail is that devices that do not have a unique serial number will have an "&" in the second character of the serial number.

First/Last Times

Pinpointing the exact temporal usage of USB devices provides a critical timeline for forensic analysis.

  • Description: This artifact is used to determine temporal usage of specific USB devices connected to a Windows Machine.

  • Location:

    • For the First Time of connection, investigators should look at Plug and Play Log Files:

      • XP: C:\Windows\setupapi.log

      • Win7/8/10: C:\Windows\inf\setupapi.dev.log

    • For First, Last, and Removal Times (specific to Win7/8/10 only), the information is in the System Hive:

      • \CurrentControlSet\Enum\USBSTOR\Ven_Prod_Version\USBSerial#\Properties\{83da6326-97a6-4088-9453-a19231573b29}\####

  • Interpretation:

    • In the log files, investigators can search for the Device Serial Number. It's important to note that Log File times are set to the local time zone.

    • Within the System Hive, specific numerical values indicate different temporal events:

      • 0064: Signifies the First Install (Win7-10).

      • 0066: Indicates the Last Connected (Win8-10).

      • 0067: Represents the Last Removal (Win8-10).

User

Determining which user was responsible for plugging in a specific USB device is essential for attributing actions.

  • Description: This artifact helps to find the user that used the Unique USB Device.

  • Location: Investigators need to look for the GUID from SYSTEM\MountedDevices and then correlate it with NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2.

  • Interpretation: The last write time of the MountPoints2 key is used to identify the user that plugged in the device.

PnP Events

Plug and Play (PnP) events capture the system's response to new hardware connections, including USB devices.

  • Description: When a Plug and Play driver install is attempted, the service will log an ID 20001 event and provide a Status within the event. This event will trigger for any Plug and Play-capable device, which includes, but is not limited to, USB, Firewire, and PCMCIA devices.

  • Location: These events are found in the System Log File:

    • Win7/8/10: %system root%\System32\winevt\logs\System.evtx

  • Interpretation:

    • The Event ID: 20001 specifically indicates a Plug and Play driver install attempted.

    • The event includes a Timestamp, Device information, Device serial number, and a Status (where 0 indicates no errors).

Volume Serial Number

Beyond the device's hardware serial, the volume serial number of the filesystem partition can provide additional linkage to user activity.

  • Description: This artifact helps to discover the Volume Serial Number of the Filesystem Partition on the USB. It's important to note that this is not the USB Unique Serial Number, which is hardcoded into the device firmware.

  • Location: The information is typically found in the SOFTWARE Hive at SOFTWARE\Microsoft\WindowsNT\CurrentVersion\ENDMgmt. To derive the serial number, one would use the Volume Name and USB Unique Serial Number to find the last integer number in the line, then convert the Decimal Serial Number into a Hex Serial Number.

  • Interpretation: Knowing both the Volume Serial Number and the Volume Name, you can correlate the data across Shortcut File (LNK) analysis and the RECENTDOCs key. The Shortcut File (LNK) contains the Volume Serial Number and Name. Additionally, the RecentDocs Registry Key, in most cases, will contain the volume name when the USB device is opened.

Drive Letter and Volume Name

Understanding the drive letter assigned to a USB device can assist in reconstructing file paths and user access.

  • Description: This artifact helps to discover the last drive letter of the USB Device when it was plugged into the machine.

  • Location:

    • XP:

      • Find ParentIdPrefix at SYSTEM\CurrentControlSet\Enum\USBSTOR.

      • Then, using ParentIdPrefix, discover the Last Mount Point at SYSTEM\MountedDevices.

    • Win7/8/10:

      • SOFTWARE\Microsoft\Windows Portable Devices\Devices

      • SYSTEM\MountedDevices - investigators should examine Drive Letters looking at Value Data Looking for the Serial Number.

  • Interpretation: This technique allows investigators to identify the USB device that was last mapped to a specific drive letter. However, it's crucial to remember that this technique will only work for the last drive mapped and does not contain historical records of every drive letter mapped to a removable drive.

Shortcut (LNK) Files

Shortcut files are automatically generated by Windows and can provide rich details about file and folder access, including those on external devices.

  • Description: Shortcut files are automatically created by Windows. These include Recent Items, and opening local and remote data files and documents will generate a shortcut file (.lnk).

  • Location: While LNK files can be found in other locations, primary locations related to user activity include:

    • XP: C:\%USERPROFILE%\Recent

    • Win7/8/10:

      • C:\%USERPROFILE%\AppData\Roaming\Microsoft\Windows\Recent\

      • C:\%USERPROFILE%\AppData\Roaming\Microsoft\Office\Recent\

  • Interpretation: LNK files offer a wealth of information:

    • The Creation Date of the Shortcut (LNK) File indicates the Date/Time a file of that name was first opened.

    • The Last Modification Date of the Shortcut (LNK) File indicates the Date/Time a file of that name was last opened.

    • The LNKTarget File (Internal LNK File Information) Data itself contains:

      • Modified, Access, and Creation times of the target file.

      • Volume Information (including Name, Type, and Serial Number).

      • Network Share information.

By leveraging these artifacts, forensic experts can paint a detailed picture of external device interactions, identifying not only the devices themselves but also the timeline of their usage and the users involved, which is invaluable for incident response and digital investigations.

Windows Forensics

Part 2 of 8
Up next

Tracing the Digital Footprints - Account Usage

In the realm of digital forensics, understanding how accounts are used on a Windows system is critical for piecing together incident timelines, identifying unauthorized access, and validating legitimate user actions. Beyond just file and folder inter...

More from this blog

Mithun Dev

9 posts