My previous blog post addressed USB-connected devices, but only from the perspective of Windows Event Logs. In this blog post, I wanted to include data from the Registry, incorporated in a timeline so that the various data sources could be viewed through a common lens, in a single pane of glass.
I stated by using wevtutil.exe to export current copies of the five Windows Event Logs to a central location. I then used reg.exe to do the same thing for the System hive. I then used my timeline process (outlined in several of my books) to create the events file from the six data sources; I used wevtx.bat to parse the Windows Event Logs, and three newly created RegRipper Pro plugins to parse the relevant data from the System hive. The specific keys, values and data parsed from the hive were based largely on Yogesh's blog post, and this academic paper posted at the ResearchGate site. I created the initial plugins, and then modified them to display TLN-format output, for inclusion in timelines.
For this research, there where three specific devices I was interested in...my iPod, my iPhone, and a SanDisk Cruzer USB thumb drive. After creating the overall events file, I used the "type" and "find" commands to look for events associated specifically with those devices, isolated each into their own individual "overlay" events file, and then created timelines from each of those events files. This approach makes it easy to "see" what's going on and create artifact constellations, as I don't have to filter out "noise" associated with other events, and I still have the overall events file that I refer to.
What I'm sharing below are partial timelines of events, just enough to demonstrate events based on intentionally limited data sources, so that initial artifact constellations can be developed. From this point, the constellations can be built out; for example, accessing files the SanDisk Cruzer will produce Windows shortcut files pointing to files on the "E:\" volume. Again, these timeline overlays are not complete, but are intended to demonstrate Registry artifacts associated with USB-connected devices alongside Windows Event Log artifacts.
iPod
A while back, I inserted my iPod into my computer in order to retrieve music files, via iTunes, so that I could transfer them to my iPhone. I didn't think much about it at the time, but the connection was clearly "remembered" by Windows 10, specifically via the Registry.
Here are the events around the insertion:
Sun Jan 2 19:41:21 2022 Z
REG - First Inserted - Apple iPod [6&3091e96e&0&0000]
REG - First Install - Apple iPod [6&3091e96e&0&0000]
EVTX Stewie - Microsoft-Windows-WPD-MTPClassDriver/1005;Apple Inc.,Apple iPod,4.3.5,40
REG - Last Inserted - Apple iPod [6&3091e96e&0&0000]
Sun Jan 2 19:41:15 2022 Z
EVTX Stewie - Microsoft-Windows-DeviceSetupManager/112;iPod,{fc916355-34ea-555c-9e24-3c59f6125097},2,42,11
And here are the events around the removal of the device from the computer, a little more than 14 minutes later:
Sun Jan 2 19:55:46 2022 Z
REG - Last Removal - Apple iPod [6&3091e96e&0&0000]
The completed message string for the "Microsoft-Windows-DeviceSetupManager/112" event above is:
Device 'Apple iPod' ({fc916355-34ea-555c-9e24-3c59f6125097}) has been serviced, processed 6 tasks, wrote 34 properties, active worktime was 11748 milliseconds.
I state this specifically because following the "Last Removal" event on 2 Jan 2022, the timeline contains an additional 9 events from 6 Jan to 22 May, all for the same "Microsoft-Windows-DeviceSetupManager/112" event records for the iPod, but the last three string entries are different. In every case, only 1 task is run, and the active worktime runs from 0 to 31 milliseconds. I know that the iPod was not plugged in during these times, and as such, this seems to be an artifact the installation process.
iPhone
I have connected my iPhone to this Windows 10 system via a USB cable, to transfer pictures from it, and to transfer music files to it, via iTunes. Here was see one such connection on 7 May 2022:
Sat May 7 14:16:35 2022 Z
REG - Last Removal - @oem119.inf,iphone.appleusb.devicedesc%;Apple Mobile Device USB Composite Device [00008030000E6C6C11DA802E]
REG - Last Removal - Apple iPhone [6&139bb8e1&1&0000]
Sat May 7 14:14:57 2022 Z
EVTX Stewie - Microsoft-Windows-WPD-MTPClassDriver/1005;Apple Inc.,Apple iPhone,15.4.1,40
EVTX Stewie - Microsoft-Windows-DeviceSetupManager/112;Apple iPhone,{7e8068a1-2d62-53fb-8285-a12072dfa871},4,34,296
Sat May 7 14:14:56 2022 Z
REG - Last Inserted - Apple iPhone [6&139bb8e1&1&0000]
REG - Last Inserted - @oem119.inf,iphone.appleusb.devicedesc%;Apple Mobile Device USB Composite Device [00008030000E6C6C11DA802E]
There's information later in the timeline regarding another connection to the system, this time to copy pictures off of the iPhone. The "Last Inserted" and "Last Removal" events are from a different Registry key as seen above, as noted by the serial number in brackets at the end of the "event".
Fri Apr 15 16:23:13 2022 Z
REG - Last Removal - @oem119.inf,iphone.appleusbmux.devicedesc%;Apple Mobile Device USB Device [6&139bb8e1&1&0001]
...
Fri Apr 15 16:19:02 2022 Z
EVTX Stewie - Microsoft-Windows-WPD-MTPClassDriver/1005;Apple Inc.,Apple iPhone,15.4.1,40
Fri Apr 15 16:18:57 2022 Z
EVTX Stewie - Microsoft-Windows-DeviceSetupManager/112;Apple iPhone,{7e8068a1-2d62-53fb-8285-a12072dfa871},4,34,140
REG - Last Inserted - @oem119.inf,iphone.appleusbmux.devicedesc%;Apple Mobile Device USB Device [6&139bb8e1&1&0001]
Cruzer
The artifact constellation for the SanDisk Cruzer thumb drive is a bit different from that of the iPhone and the iPod. In this case, the events around the last time the device was inserted and then removed from the computer is less than a minute...
Mon May 16 22:07:08 2022 Z
EVTX Stewie - Microsoft-Windows-Partition/1006;1,8208,262401,false,0,0,0,0,0,7,SanDisk,Cruzer,8.02,2443931D6C0226E3,...
REG - Last Removal - SanDisk Cruzer USB Device
REG - Last Removal - Cruzer [E:\]
Mon May 16 22:06:26 2022 Z
EVTX Stewie - Microsoft-Windows-Ntfs/145;3,{1e09345e-d3d4-11e8-92fd-1c4d704c6039},2,E:,false,0,{fab772f6-83e6-5d5f-1086-740d39e45bff},8,SanDisk ,16,Cruzer ...
EVTX Stewie - Microsoft-Windows-Partition/1006;1,8208,262401,false,0,0,0,512,8036285952,7,SanDisk,Cruzer,8.02,2443931D6C0226E3,Integrated : ...
Mon May 16 22:06:24 2022 Z
EVTX Stewie - Microsoft-Windows-Partition/1006;1,8208,262401,false,0,0,0,0,0,7,SanDisk,Cruzer,8.02,2443931D6C0226E3,...
EVTX Stewie - Microsoft-Windows-DeviceSetupManager/112;Cruzer,{81fa6fcf-bfc9-5887-bdbc-2cffb6be0b29},4,34,281
REG - Last Inserted - Cruzer [E:\]
REG - Last Inserted - SanDisk Cruzer USB Device
Note that several of the events, particularly those from the Partition/Diagnostic Event Log, are shortened here for readability.
Registry
Each of the above three devices appears in the Registry, specifically in the System hive, sometimes in multiple locations. For example, the SanDisk Cruzer thumb drive appears in both the USBStor and WPDBUSENUM subkeys.
From the USBStor key:
From the USBStor key:
Disk&Ven_SanDisk&Prod_Cruzer&Rev_8.02
2443931D6C0226E3&0
DeviceDesc : @disk.inf,%disk_devdesc%;Disk drive
Mfg : @disk.inf,%genmanufacturer%;(Standard disk drives)
Service : disk
FriendlyName : SanDisk Cruzer USB Device
First Install : 2021-09-09 17:37:15Z
First Inserted : 2021-09-09 17:37:15Z
Last Inserted : 2022-05-16 22:06:24Z
Last Removal : 2022-05-16 22:07:08Z
From the WPDBUSENUM key:
_??_USBSTOR#Disk&Ven_SanDisk&Prod_Cruzer&Rev_8.02#2443931D6C0226E3&0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
DeviceDesc : Cruzer
FriendlyName : E:\
First Install : 2021-09-09 17:37:17Z
First Inserted : 2021-09-09 17:37:17Z
Last Inserted : 2022-05-16 22:06:24Z
Last Removal : 2022-05-16 22:07:08Z
The Apple devices appear beneath the USB key, based on the vendor ID:
VID_05AC&PID_129E
b9e69c2c948d76fd3f959be89193f30a500a0d50
DeviceDesc : @oem119.inf,%iphone.appleusb.devicedesc%;Apple Mobile Device USB Composite Device
Mfg : @oem119.inf,%aapl%;Apple, Inc.
Service : usbccgp
FriendlyName : @oem119.inf,%iPhone.AppleUSB.DeviceDesc%;Apple Mobile Device USB Composite Device
First Install : 2022-01-02 19:41:16Z
First Inserted : 2022-01-02 19:41:15Z
Last Inserted : 2022-01-02 19:41:15Z
Last Removal : 2022-01-02 19:55:46Z
VID_05AC&PID_129E&MI_00
6&3091e96e&0&0000
DeviceDesc : Apple iPod
Mfg : Apple Inc.
Service : WUDFWpdMtp
FriendlyName : Apple iPod
First Install : 2022-01-02 19:41:21Z
First Inserted : 2022-01-02 19:41:21Z
Last Inserted : 2022-01-02 19:41:21Z
Last Removal : 2022-01-02 19:55:46Z
VID_05AC&PID_129E&MI_01
6&3091e96e&0&0001
DeviceDesc : @oem119.inf,%iphone.appleusbmux.devicedesc%;Apple Mobile Device USB Device
Mfg : @oem119.inf,%aapl%;Apple, Inc.
Service : WINUSB
FriendlyName : @oem119.inf,%iPhone.AppleUsbMux.DeviceDesc%;Apple Mobile Device USB Device
First Install : 2022-01-02 19:41:16Z
First Inserted : 2022-01-02 19:41:16Z
Last Inserted : 2022-01-02 19:41:16Z
Last Removal : 2022-01-02 19:55:46Z
VID_05AC&PID_12A8
00008030000E6C6C11DA802E
DeviceDesc : @oem119.inf,%iphone.appleusb.devicedesc%;Apple Mobile Device USB Composite Device
Mfg : @oem119.inf,%aapl%;Apple, Inc.
Service : usbccgp
FriendlyName : @oem119.inf,%iPhone.AppleUSB.DeviceDesc%;Apple Mobile Device USB Composite Device
First Install : 2022-01-02 19:56:40Z
First Inserted : 2022-01-02 19:56:40Z
Last Inserted : 2022-05-07 14:14:56Z
Last Removal : 2022-05-07 14:16:35Z
VID_05AC&PID_12A8&MI_00
6&139bb8e1&1&0000
DeviceDesc : Apple iPhone
Mfg : Apple Inc.
Service : WUDFWpdMtp
FriendlyName : Apple iPhone
First Install : 2022-01-02 19:56:46Z
First Inserted : 2022-01-02 19:56:46Z
Last Inserted : 2022-05-07 14:14:56Z
Last Removal : 2022-05-07 14:16:35Z
Additional Resources
Note that per Yogesh's blog post, the "Microsoft-Windows-Kernel-PnP/Device Configuration" Event Log may also contain information about the connected devices.
One More Thing
While I was doing some research for this blog post, I ran across this entry for event ID 112, albeit from the Microsoft-Window-TaskScheduler/Operational" Event Log. Once again, please stop referring to event records solely by their ID, and start including the event source, as well.
No comments:
Post a Comment