Advertisement

Registry Forensics: Attached Devices
Artifacts are items of data or information left behind after a specific activity occurs on a system. Generally, any user activity leaves some type of artifact somewhere. Depending on the type of activity, the artifacts can be of enormous forensic importance. For instance, when a user visits a Web site using Internet Explorer, an artifact is left in the browser history and the URL is recorded in the Registry. Likewise, any USB device attached to a system will leave artifacts in several locations. Questions concerning which artifacts are of forensic importance will usually depend upon the type of investigation being conducted. Some examples why a forensic examination of the Registry should be conducted include:

  • Does the system allow USB devices to be recognized?
  • Was a particular USB device attached to a particular computer, and if so can artifacts be collected to assist in identifying the USB device?
  • Did a user connect an unauthorized USB device to his/her computer in violation of company policy?
  • Was an attached USB device infected with malware?
  • Was a USB device connected to download files or applications?
  • Can a timeline be determined during which a particular USB device was attached to a system?

1. WRITE BLOCK ALL USB DEVICES
• HKLM\SYSTEM\CurrentControlSet\Control USB devices can be write-blocked to prevent someone from attaching a device to a live system and performing a malicious act such as uploading a virus or downloading files and intellectual property. The “StorageDevicePolicies” and “WriteProtect” values can be set to “00000001” to turn on USB write protection in this key. If neither of these two values exists, they can be created by the System Administrator or by the user.

2. DISABLE USB DRIVES
• HKLM\SYSTEM\CurrentControlSet\Services\USBSTOR USB devices can be prevented from operating when attached to a live system by changing the “Start” value from “0x00000003” to “0x00000004” in this key.

3. MOUNTED DEVICES and STORAGE DEVICES
Registry keys track each mounted volume and assigned drive letter used by the NTFS file system. Information concerning any external devices (such as USB devices, CD/DVD ROMs, external memory cards, digital cameras, etc.) that had previously been attached to the system will be recorded in certain registry keys. On a live system, “regedit” or “Registry Commander” can be run from a USB device to access these keys. (Inserting this USB device will also make changes to the Registry). The keys can be exported directly from a live system and saved as readable text files.

• HKLM\SYSTEM\MountedDevices This key contains a list of mounted devices, their associated persistent volume names, Globally Unique Identifiers (GUIDs) for each device that has been attached to the system, the device’s name, and its serial number. GUIDs identify objects and are 128-bit values consisting of one group of 8 hexadecimal digits, followed by three groups of 4 hexadecimal digits each, followed by one group of 12 hexadecimal digits. The “Data” for each of the subkeys can be read by double-clicking on a particular entry or exporting the entire key to a text file. Conversely, if the Registry was captured and exported, the key can be examined using a tool such as “Windows Registry Analyzer.” The subkeys also contain the information necessary for identifying the volume(s) which can be vital to determine if a particular device was attached to a system. GUIDs for each device are listed as “\??\Volume{xxxxxxxx-xxxx-xxxx-xxxxxxxxxxxxxxxx}.” One of the GUIDs should correspond to the “Data” in the “\DosDevices\x:” value. For instance, the GUID and “Data” for a particular USB device was determined to be:

Name: “\??\Volume{3cd41b45-8f08-11df-8dd4-
705ab6efe508}”
Data:_??_USBSTOR#Disk&Ven_&Prod_Patriot_Mem
ory& Rev_PMAP
#093A17A322A6&0#{53f56307-b6bf-11d0-94f2- 00a0c91efb8b}”
The “Data” from this GUID corresponded to the “Data” in:
Name: “\DosDevices\E:”
Data: “_??_USBSTOR#Disk& Ven_&Prod_Patriot_
Memory&Rev_PMAP
#093A17A322A6&0# {53f56307-b6bf-11d0-94f2-
00a0c91efb8b}”

In this example, a Patriot USB device with the serial number “093A17A322A6” was the last connected USB device on the computer and was designated as the “E” drive. The data also lists another GUID, “{53f56307-b6bf-11d0-94f2-00a0c91efb8b}” which can be used to find the same USB device and its serial number in other Keys (e.g. “HKLM\SYSTEM\ControlSet001\Control\DeviceClasses\ {53f56307-b6bf-11d0-94f2-00a0c91efb8b}.”

• HKCU\Software\Microsoft\Windows\CurrentVersion\ Explorer\MountPoints2
Each user on a system has their own “NTUSER.DAT” file in their profile. This is the file that is accessed as “HKCU” when the user logs onto the system. If a GUID from the “HKLM\SYSTEM\ MountedDevices” key matches a GUID in this key, then that is indicative of a particular user being logged into the computer when that particular USB device was connected to the system. GUIDs also include the “Last Write Time” for each device that was attached to the system. The GUID “Volume{3cd41b45-8f08-11df-8dd4-705ab6efe508}” from the above example was listed under this key and provided the “Last Write Time” as “2/19/2012 - 12:13 PM.”

• HKLM\SYSTEM\CurrentControlSet\Control\DeviceClasses\ The GUID subkeys include the USB storage device name, its serial number, and other GUID Subkeys where the device name and serial number can also be found. More importantly, a timeline for when each device was attached and then later removed is also captured. The GUID “{53f56307-b6bf-11d0-94f2-00a0c91efb8b}” described previously in “HKLM\SYSTEM\MountedDevices” appears four times under this key. Two of the GUIDs (and their subkeys “#”) provide the last time the device was connected to the system (listed as the “Last Write Time”):

“{53f56307-b6bf-11d0-94f2-00a0c91efb8b}\##?#USB
STOR
#Disk&Ven_&Prod_Patriot_Memory&Rev_PMAP
#093A17A322A6&0#{53f56307-b6bf-11d0-94f2-
00a0c91efb8b}”
“Last Write Time: 2/19/2012 - 11:55 AM”

The subkeys “#\Control” and “Control” provide the time that the same device was removed from the system (also listed as the “Last Write Time”) which corresponds to the same last write time in GUID “{3cd41b45-8f08-11df-8dd4-705ab6efe508}” under “HKCU\Software\ Microsoft\Windows\CurrentVersion\Explorer\MountPoints2” previously discussed:

“{53f56307-b6bf-11d0-94f2-00a0c91efb8b}\##?#USB
STOR
#Disk&Ven_&Prod_Patriot_Memory&Rev_PMAP
#093A17A322A6&0#{53f56307-b6bf-11d0-94f2-
00a0c91efb8b}\#\Control
“Last Write Time: 2/19/2012 - 12:13 PM”

This discussion will continue in the next Digital Forensics Insider column.

John J. Barbara owns Digital Forensics Consulting, LLC, providing consulting services for companies and laboratories seeking digital forensics accreditation. An ASCLD/LAB inspector since 1993, John has conducted inspections in several forensic disciplines including Digital Evidence. John is the General Editor for the “Handbook of Digital & Multimedia Forensic Evidence” published by Humana Press. He can be reached at jjb@digforcon.com.

Advertisement
Advertisement