Thursday, May 26, 2022

USB Device Redux, with Timelines

If you ask DFIR analysts, "What is best in life?", the answer you should hear is, "...creating timelines!" After all, industry luminaries such as Andrew said, "Time is the most important thing in life, and timelines are one of the most useful tools for investigation and analysis.", and Chris said, "The timeline is the central concept of all investigative work."

My previous blog post addressed USB-connected devices, but only from the perspective of Windows Event Logs. In this blog post, I wanted to include data from the Registry, incorporated in a timeline so that the various data sources could be viewed through a common lens, in a single pane of glass. 

I stated by using wevtutil.exe to export current copies of the five Windows Event Logs to a central location. I then used reg.exe to do the same thing for the System hive. I then used my timeline process (outlined in several of my books) to create the events file from the six data sources; I used wevtx.bat to parse the Windows Event Logs, and three newly created RegRipper Pro plugins to parse the relevant data from the System hive. The specific keys, values and data parsed from the hive were based largely on Yogesh's blog post, and this academic paper posted at the ResearchGate site. I created the initial plugins, and then modified them to display TLN-format output, for inclusion in timelines.

For this research, there where three specific devices I was interested in...my iPod, my iPhone, and a SanDisk Cruzer USB thumb drive. After creating the overall events file, I used the "type" and "find" commands to look for events associated specifically with those devices, isolated each into their own individual "overlay" events file, and then created timelines from each of those events files. This approach makes it easy to "see" what's going on and create artifact constellations, as I don't have to filter out "noise" associated with other events, and I still have the overall events file that I refer to. 

What I'm sharing below are partial timelines of events, just enough to demonstrate events based on intentionally limited data sources, so that initial artifact constellations can be developed. From this point, the constellations can be built out; for example, accessing files the SanDisk Cruzer will produce Windows shortcut files pointing to files on the "E:\" volume. Again, these timeline overlays are not complete, but are intended to demonstrate Registry artifacts associated with USB-connected devices alongside Windows Event Log artifacts.

iPod
A while back, I inserted my iPod into my computer in order to retrieve music files, via iTunes, so that I could transfer them to my iPhone. I didn't think much about it at the time, but the connection was clearly "remembered" by Windows 10, specifically via the Registry.

Here are the events around the insertion:

Sun Jan  2 19:41:21 2022 Z
  REG                        - First Inserted - Apple iPod [6&3091e96e&0&0000]
  REG                        - First Install - Apple iPod [6&3091e96e&0&0000]
  EVTX     Stewie     - Microsoft-Windows-WPD-MTPClassDriver/1005;Apple Inc.,Apple iPod,4.3.5,40
  REG                        - Last Inserted - Apple iPod [6&3091e96e&0&0000]

Sun Jan  2 19:41:15 2022 Z
  EVTX     Stewie            - Microsoft-Windows-DeviceSetupManager/112;iPod,{fc916355-34ea-555c-9e24-3c59f6125097},2,42,11

And here are the events around the removal of the device from the computer, a little more than 14 minutes later:

Sun Jan  2 19:55:46 2022 Z
  REG                        - Last Removal - Apple iPod [6&3091e96e&0&0000]

The completed message string for the "Microsoft-Windows-DeviceSetupManager/112" event above is:

Device 'Apple iPod' ({fc916355-34ea-555c-9e24-3c59f6125097}) has been serviced, processed 6 tasks, wrote 34 properties, active worktime was 11748 milliseconds.

I state this specifically because following the "Last Removal" event on 2 Jan 2022, the timeline contains an additional 9 events from 6 Jan to 22 May, all for the same "Microsoft-Windows-DeviceSetupManager/112" event records for the iPod, but the last three string entries are different. In every case, only 1 task is run, and the active worktime runs from 0 to 31 milliseconds. I know that the iPod was not plugged in during these times, and as such, this seems to be an artifact the installation process.

iPhone
I have connected my iPhone to this Windows 10 system via a USB cable, to transfer pictures from it, and to transfer music files to it, via iTunes. Here was see one such connection on 7 May 2022:

Sat May  7 14:16:35 2022 Z
  REG                        - Last Removal - @oem119.inf,iphone.appleusb.devicedesc%;Apple Mobile Device USB Composite Device [00008030000E6C6C11DA802E]
  REG                        - Last Removal - Apple iPhone [6&139bb8e1&1&0000]

Sat May  7 14:14:57 2022 Z
  EVTX     Stewie            - Microsoft-Windows-WPD-MTPClassDriver/1005;Apple Inc.,Apple iPhone,15.4.1,40
  EVTX     Stewie            - Microsoft-Windows-DeviceSetupManager/112;Apple iPhone,{7e8068a1-2d62-53fb-8285-a12072dfa871},4,34,296

Sat May  7 14:14:56 2022 Z
  REG                        - Last Inserted - Apple iPhone [6&139bb8e1&1&0000]
  REG                        - Last Inserted - @oem119.inf,iphone.appleusb.devicedesc%;Apple Mobile Device USB Composite Device [00008030000E6C6C11DA802E]

There's information later in the timeline regarding another connection to the system, this time to copy pictures off of the iPhone. The "Last Inserted" and "Last Removal" events are from a different Registry key as seen above, as noted by the serial number in brackets at the end of the "event".

Fri Apr 15 16:23:13 2022 Z
  REG                        - Last Removal - @oem119.inf,iphone.appleusbmux.devicedesc%;Apple Mobile Device USB Device [6&139bb8e1&1&0001]

...


Fri Apr 15 16:19:02 2022 Z
  EVTX     Stewie            - Microsoft-Windows-WPD-MTPClassDriver/1005;Apple Inc.,Apple iPhone,15.4.1,40

Fri Apr 15 16:18:57 2022 Z
  EVTX     Stewie            - Microsoft-Windows-DeviceSetupManager/112;Apple iPhone,{7e8068a1-2d62-53fb-8285-a12072dfa871},4,34,140
  REG                        - Last Inserted - @oem119.inf,iphone.appleusbmux.devicedesc%;Apple Mobile Device USB Device [6&139bb8e1&1&0001]

Cruzer
The artifact constellation for the SanDisk Cruzer thumb drive is a bit different from that of the iPhone and the iPod. In this case, the events around the last time the device was inserted and then removed from the computer is less than a minute...

Mon May 16 22:07:08 2022 Z
  EVTX     Stewie            - Microsoft-Windows-Partition/1006;1,8208,262401,false,0,0,0,0,0,7,SanDisk,Cruzer,8.02,2443931D6C0226E3,...
  REG                        - Last Removal - SanDisk Cruzer USB Device
  REG                        - Last Removal - Cruzer   [E:\]

Mon May 16 22:06:26 2022 Z
  EVTX     Stewie            - Microsoft-Windows-Ntfs/145;3,{1e09345e-d3d4-11e8-92fd-1c4d704c6039},2,E:,false,0,{fab772f6-83e6-5d5f-1086-740d39e45bff},8,SanDisk ,16,Cruzer ...
  EVTX     Stewie            - Microsoft-Windows-Partition/1006;1,8208,262401,false,0,0,0,512,8036285952,7,SanDisk,Cruzer,8.02,2443931D6C0226E3,Integrated : ...

Mon May 16 22:06:24 2022 Z
  EVTX     Stewie            - Microsoft-Windows-Partition/1006;1,8208,262401,false,0,0,0,0,0,7,SanDisk,Cruzer,8.02,2443931D6C0226E3,...
  EVTX     Stewie            - Microsoft-Windows-DeviceSetupManager/112;Cruzer,{81fa6fcf-bfc9-5887-bdbc-2cffb6be0b29},4,34,281
  REG                        - Last Inserted - Cruzer    [E:\]
  REG                        - Last Inserted - SanDisk Cruzer USB Device

Note that several of the events, particularly those from the Partition/Diagnostic Event Log, are shortened here for readability.

Registry 
Each of the above three devices appears in the Registry, specifically in the System hive, sometimes in multiple locations. For example, the SanDisk Cruzer thumb drive appears in both the USBStor and WPDBUSENUM subkeys.

From the USBStor key:
Disk&Ven_SanDisk&Prod_Cruzer&Rev_8.02
  2443931D6C0226E3&0
    DeviceDesc     : @disk.inf,%disk_devdesc%;Disk drive
    Mfg            : @disk.inf,%genmanufacturer%;(Standard disk drives)
    Service        : disk                          
    FriendlyName   : SanDisk Cruzer USB Device     
    First Install  : 2021-09-09 17:37:15Z     
    First Inserted : 2021-09-09 17:37:15Z     
    Last Inserted  : 2022-05-16 22:06:24Z     
    Last Removal   : 2022-05-16 22:07:08Z     

From the WPDBUSENUM key:
_??_USBSTOR#Disk&Ven_SanDisk&Prod_Cruzer&Rev_8.02#2443931D6C0226E3&0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
    DeviceDesc     : Cruzer                        
    FriendlyName   : E:\                           
    First Install  : 2021-09-09 17:37:17Z     
    First Inserted : 2021-09-09 17:37:17Z     
    Last Inserted  : 2022-05-16 22:06:24Z     
    Last Removal   : 2022-05-16 22:07:08Z

The Apple devices appear beneath the USB key, based on the vendor ID:
VID_05AC&PID_129E
  b9e69c2c948d76fd3f959be89193f30a500a0d50
    DeviceDesc     : @oem119.inf,%iphone.appleusb.devicedesc%;Apple Mobile Device USB Composite Device
    Mfg            : @oem119.inf,%aapl%;Apple, Inc.
    Service        : usbccgp                       
    FriendlyName   : @oem119.inf,%iPhone.AppleUSB.DeviceDesc%;Apple Mobile Device USB Composite Device
    First Install  : 2022-01-02 19:41:16Z     
    First Inserted : 2022-01-02 19:41:15Z     
    Last Inserted  : 2022-01-02 19:41:15Z     
    Last Removal   : 2022-01-02 19:55:46Z     

VID_05AC&PID_129E&MI_00
  6&3091e96e&0&0000
    DeviceDesc     : Apple iPod                    
    Mfg            : Apple Inc.                    
    Service        : WUDFWpdMtp                    
    FriendlyName   : Apple iPod                    
    First Install  : 2022-01-02 19:41:21Z     
    First Inserted : 2022-01-02 19:41:21Z     
    Last Inserted  : 2022-01-02 19:41:21Z     
    Last Removal   : 2022-01-02 19:55:46Z     

VID_05AC&PID_129E&MI_01
  6&3091e96e&0&0001
    DeviceDesc     : @oem119.inf,%iphone.appleusbmux.devicedesc%;Apple Mobile Device USB Device
    Mfg            : @oem119.inf,%aapl%;Apple, Inc.
    Service        : WINUSB                        
    FriendlyName   : @oem119.inf,%iPhone.AppleUsbMux.DeviceDesc%;Apple Mobile Device USB Device
    First Install  : 2022-01-02 19:41:16Z     
    First Inserted : 2022-01-02 19:41:16Z     
    Last Inserted  : 2022-01-02 19:41:16Z     
    Last Removal   : 2022-01-02 19:55:46Z     

VID_05AC&PID_12A8
  00008030000E6C6C11DA802E
    DeviceDesc     : @oem119.inf,%iphone.appleusb.devicedesc%;Apple Mobile Device USB Composite Device
    Mfg            : @oem119.inf,%aapl%;Apple, Inc.
    Service        : usbccgp                       
    FriendlyName   : @oem119.inf,%iPhone.AppleUSB.DeviceDesc%;Apple Mobile Device USB Composite Device
    First Install  : 2022-01-02 19:56:40Z     
    First Inserted : 2022-01-02 19:56:40Z     
    Last Inserted  : 2022-05-07 14:14:56Z     
    Last Removal   : 2022-05-07 14:16:35Z     

VID_05AC&PID_12A8&MI_00
  6&139bb8e1&1&0000
    DeviceDesc     : Apple iPhone                  
    Mfg            : Apple Inc.                    
    Service        : WUDFWpdMtp                    
    FriendlyName   : Apple iPhone                  
    First Install  : 2022-01-02 19:56:46Z     
    First Inserted : 2022-01-02 19:56:46Z     
    Last Inserted  : 2022-05-07 14:14:56Z     
    Last Removal   : 2022-05-07 14:16:35Z     

Additional Resources
Note that per Yogesh's blog post, the "Microsoft-Windows-Kernel-PnP/Device Configuration" Event Log may also contain information about the connected devices.

One More Thing
While I was doing some research for this blog post, I ran across this entry for event ID 112, albeit from the Microsoft-Window-TaskScheduler/Operational" Event Log. Once again, please stop referring to event records solely by their ID, and start including the event source, as well.  

No comments: