tag:blogger.com,1999:blog-9518042.post4895971119722995074..comments2024-03-19T07:46:20.437-05:00Comments on Windows Incident Response: There Are Four Lights: USB-Accessible StorageUnknownnoreply@blogger.comBlogger9125tag:blogger.com,1999:blog-9518042.post-84040663982901342212013-01-09T22:01:13.398-05:002013-01-09T22:01:13.398-05:00When you switched users, was the other one logged ...<i>When you switched users, was the other one logged out?</i><br /><br />As I mentioned, I didn't test this yet. I'm just guessing that this is the scenario in which Jacky's observation would hold true. I would think that both users must be logged on to the system.Jimmy_Wegnoreply@blogger.comtag:blogger.com,1999:blog-9518042.post-63855640229123538242013-01-08T11:45:46.416-05:002013-01-08T11:45:46.416-05:00Jimmy,
... the GUID should appear under both user...Jimmy,<br /><br /><i>... the GUID should appear under both user's MP2...</i><br /><br />When you switched users, was the other one logged out? <br /><br /><i>...some study of user activity may allow you to infer who stuck the device in the machine. </i><br /><br />Oh, definitely. Maybe not infer so much as tie it down with a bit more certainty.<br /><br /><br /><i>There are probably more anomalies with USB exams than any other, from what I've seen over the years.</i><br /><br />I think that's largely for a couple of reasons...<br /><br />First, developing information about USB device analysis is a process in and of itself. When Cory Altheide and I did our initial research, there was no thought given to disconnecting and reconnecting a device multiple times during the same boot session. Then when Rob Lee provided updated information, it doesn't appear that anyone thought to have multiple users logged in at the same time.<br /><br />Second, USB device analysis is a process...and most analysts do not appear to want a process, they want a button. I spoke to someone at PFIC that asked me how they could locate the USB devices connected to a system, and I pointed them to Rob's resources, my book, etc. He asked the question again...it turns out, following a checklist isn't what he was looking for...he was looking for a button to push.H. Carveyhttps://www.blogger.com/profile/08966595734678290320noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-74333358244416104872013-01-08T11:31:32.768-05:002013-01-08T11:31:32.768-05:00Ms. Fox determined that when a USB device is conne...<i>Ms. Fox determined that when a USB device is connected to a system and mounted as a volume, that volume GUID is added to the MountPoints2 key for <b>all logged in users,</b> not just the user logged in at the console.</i><br /><br />I haven't read Jacky's paper yet, but my sense is that the bold-face portion of the above quote is the pivotal part of her findings. I bring this up because I've seen multi-user systems in which the GUID appears for only one user. So, if I understand correctly, if I log on, switch users, and plug in a thumb, the GUID should appear under both user's MP2 with the same time stamp. <br /><br />Nevertheless, some study of user activity may allow you to infer who stuck the device in the machine. There are probably more anomalies with USB exams than any other, from what I've seen over the years.Jimmy_Wegnoreply@blogger.comtag:blogger.com,1999:blog-9518042.post-41854564953909368062013-01-08T10:00:23.239-05:002013-01-08T10:00:23.239-05:00John,
I'm glad that you found this informatio...John,<br /><br />I'm glad that you found this information useful. For this, as well as for other analysis methodologies, there is a lot of info that is available that can be used to really build a much more solid picture of what you're looking at...H. Carveyhttps://www.blogger.com/profile/08966595734678290320noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-9443547521482842292013-01-08T09:53:16.374-05:002013-01-08T09:53:16.374-05:00The EMDMgmt subkey contains a wealth of informatio...The EMDMgmt subkey contains a wealth of information that I had been avoiding/missing in my attempts to garner all available information on a system, especially relating to USB drive activity. Thanks for bringing this to the forefront. It was very eye-opening to me.John Wulffnoreply@blogger.comtag:blogger.com,1999:blog-9518042.post-43684173236778388592013-01-08T06:03:02.727-05:002013-01-08T06:03:02.727-05:00Captain Picard would be proud of your title to you...Captain Picard would be proud of your title to your post.Anonymoushttps://www.blogger.com/profile/16949653919612318395noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-5334336931827083332013-01-07T04:41:29.009-05:002013-01-07T04:41:29.009-05:00Harlan, thank you for the mapping technique and fo...Harlan, thank you for the mapping technique and for the references, really valuable.<br /><br />The new data pointed out regarding USB devices remember me an old work (never completed) I made on "Properties" subkeys found under IDE, USBSTOR, STORAGE\Volume (etc.) keys. I should try to resurrect it =)dfirfpihttps://www.blogger.com/profile/01083837844686217511noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-48781598338159952012013-01-05T19:09:24.747-05:002013-01-05T19:09:24.747-05:00David,
My view of the use of the setupapi.dev.log...David,<br /><br />My view of the use of the setupapi.dev.log file hasn't changed at all. The purpose in mentioning the Registry values is to point out where some new information came from and how it applies.<br /><br />Thanks.H. Carveyhttps://www.blogger.com/profile/08966595734678290320noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-59041019831457004762013-01-05T16:35:43.956-05:002013-01-05T16:35:43.956-05:00Where do you factor setupapi.dev.log in win 7 / se...Where do you factor setupapi.dev.log in win 7 / setupapi.log xp/vista into your equations. From my experience it is a great listing of first plug in /driver install dates per device that starts when the OS is installed and is appended too instead of updated.David Cowenhttps://www.blogger.com/profile/17629115910611763170noreply@blogger.com