Tuesday, July 22, 2008

Imaging Devices in the Registry

I ran across an interesting blog this morning that had to do with Windows image acquisition devices, and where files are stored. These devices aren't write-blockers (what most forensic analysts may think when they hear "image acquisition") but instead digital cameras, like the MS LifeCam. The post mentions a GUID that is part of the directory path, and a search at the MS site reveals the following:

Class GUID: {6BDD1FC6-810F-11D0-BEC7-08002BE2092F}

As a corporate consultant, I don't do a great deal of work with illicit images...however, this post does show what kind of information about image capture/acquisition devices (aka, cameras) is resident within a system image, and in particular within the Registry. The question then becomes, what other information is available?

While this specific post may apply more appropriately to law enforcement (i.e., illicit images), I can see how our team might get a call from a corporate customer regarding issues like someone taking pictures of other employees without their consent, etc. So this is great information to keep in mind.

Note that this does not apply to digital cameras that someone hooks up to their system via a USB cable and copies pictures from the camera memory device. Such devices are treated by Windows as removable storage...what we're talking about here is devices controlled via WIA in order to capture images/pictures, such as web cams.

Addendum: Apparently, some still image devices will be added to the Registry, even if they are only connected via USB and images copied off of them.

And yes, Virginia...there is a plugin! Rip.exe output looks like:

C:\Perl\forensics\rr>rip -r d:\cases\system -p imagedev
Launching imagedev v.20080730

Still Image Capture Devices
hp photosmart 320

How the Windows Image Acquisition Service Stores Images from a USB Camera in Preview
Registry Entries for Still Image Devices