Saturday, February 04, 2012

HowTo: USB Thumb Drives

Now and again, I get some interesting questions from folks, usually posing a previously-addressed question with a slightly different twist on it.  I received one of these types of questions recently and wanted to post a HowTo for others to review, and provide something to which they can add comments.

The question involved a thumb drive, and mapping the use of the thumb drive to a Windows shortcut/LNK file.  The items that we have are the device serial number (pulled from the device descriptor of the thumb drive...remember, this is NOT located in the memory area) and the volume serial number (VSN) from the formatted volume on the device.  These definitions should help you understand what we're referring to.

By now, most of us are familiar with how to go about doing USB device analysis on Windows systems.  This has been covered extensively by Rob Lee of SANS (see the Resources section below), as well as in Windows Registry Forensics and Windows Forensic Analysis 3/e

The key to answering the question of mapping volume serial numbers (VSNs) to specific devices on Vista and Windows 7 can be found in the EMDMgmt key.  This key is associated with ReadyBoost, and lists some details of the device that was connected to the system, including the unique device descriptor, the volume name, and the VSN.  Remember that the VSN can be changed simply by reformatting the device; however, this key should provide valuable information for mapping devices and VSNs (pulled from LNK files).

The EMDMgmt key and it's usefulness is discussed in detail in chapter 5 of Windows Forensic Analysis 3/e.

Often times, the Windows Portable Devices key (mentioned on pg 115 of Windows Registry Forensics; the data can be extracted from the Software hive using the port_dev.pl RegRipper plugin) will contain some very useful information, such as historical drive mappings.  Beneath this key is the Devices key, and beneath that key are subkeys that refer to devices that have been connected to the system.  The "FriendlyName" value will often contain the drive letter to which the device was mounted; in one instance, I have a device that was connected and has the volume name ("TEST") in that particular value data, rather than the drive letter.  The subkey name will usually contain the unique device identifier (very often, the device serial number) within the name...simply parse the key name apart, using "#" as your separator, and you'll see it at or near the end.

Addendum
I came up with a graphic to illustrate the relationship between various Registry hives and keys (and some values) with respect to this analysis:


Resources
Blog Post: Windows Portable Devices (Vista)
SANS Forensic Guide for profiling thumb drives on Windows systems
WindowsIR: Mapping USB devices via LNK (2007)

2 comments:

davnads said...

Harlan,

Fantastic graphic. Thank you. I'll be printing a copy out for sure.

Although not relevant to reg analysis, one suggestion would be to include the setupapi.dev.log to show the first time a device was connected. It just be nice to see everything in one graphic.

Keydet89 said...

Dave,

Thanks. I've got a bunch of other stuff I've added to my version of the graphic...stuff like the setupapi.dev.log file, RegRipper plugins to run for each step (including my own emdmgmt.pl plugin), etc. I am using it as a reminder, in part because there's so much available, and I see a lot of folks that have trouble keeping it all straight...like those who think that for some reason, the LastWrite times on the USBStor subkeys correlate to when the device was last plugged in...