tag:blogger.com,1999:blog-9518042.post6800434554229996813..comments2024-03-19T07:46:20.437-05:00Comments on Windows Incident Response: From the Lab: Mapping USB devices via LNK filesUnknownnoreply@blogger.comBlogger21125tag:blogger.com,1999:blog-9518042.post-86469461422741546912023-03-13T18:17:25.152-05:002023-03-13T18:17:25.152-05:00http://windowsir.blogspot.com/2022/05/usb-device-r...http://windowsir.blogspot.com/2022/05/usb-device-redux-with-timelines.htmlH. Carveyhttps://www.blogger.com/profile/08966595734678290320noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-19486183821821876862023-03-13T18:16:13.899-05:002023-03-13T18:16:13.899-05:00I can't speak to what the expert did, but it c...I can't speak to what the expert did, but it could be that the drive letter was assigned to both devices, at different times. <br /><br />You should be able to tell via the Windows Event Log.H. Carveyhttps://www.blogger.com/profile/08966595734678290320noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-39774839530815371032023-03-13T17:21:13.142-05:002023-03-13T17:21:13.142-05:00It was Windows 10 Professional (2009). Haven't...It was Windows 10 Professional (2009). Haven't consulted with the expert yet. Due to some budget constraints cannot reach out to the expert again. But I see two storage devices and the drive letter D: is only assigned to one of them.Anonymoushttps://www.blogger.com/profile/00751841091735470381noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-73818812147123700282023-03-13T17:11:07.318-05:002023-03-13T17:11:07.318-05:00This post is 16 yrs old...what version of Windows ...This post is 16 yrs old...what version of Windows was examined? Did you go back and ask whomever wrote the report about this?H. Carveyhttps://www.blogger.com/profile/08966595734678290320noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-43804877632188113212023-03-13T16:49:19.110-05:002023-03-13T16:49:19.110-05:00I obtained USB device artifacts from a forensic di...I obtained USB device artifacts from a forensic digital report, for one of the USB Drives there is no drive letter assigned to it, however the lnk files with Linked path of D: point to that specific USB?Anonymoushttps://www.blogger.com/profile/00751841091735470381noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-1980064849093298142011-09-28T14:10:17.958-05:002011-09-28T14:10:17.958-05:00George,
Has anything popped up on your horizon in...George,<br /><br /><i>Has anything popped up on your horizon in the passing years on this matter?</i><br /><br />I'm not sure what you're trying to get at, as I think that enough information has been developed since I wrote this post to address this issue. <br /><br />Can you contact me offline at keydet89 at yahoo dot com and let me know a little bit more about what you're looking for? I understand what you're trying to do, but what is it I can do to assist?<br /><br />Thanks.H. Carveyhttps://www.blogger.com/profile/08966595734678290320noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-19943566813226621812011-09-28T10:11:14.259-05:002011-09-28T10:11:14.259-05:00Its now September 2011, and I am looking at the sa...Its now September 2011, and I am looking at the same issue still, Harlan. I have a situation where I have a number of device images, one being a laptop. I'd like to link the images of the USB flash drives with their volume serial numbers to laptop registry and other file evidence including: (1) specific USB VID/PID/SN values and matching entries in the SetupAPI device logs; then (2) their drive letters; along with (3) LNK shortcuts to files that perhaps were on the removable drive but have been deleted & wiped; and similarly (4) ShellBags information on full paths to files and the removable devices they were once on.<br /><br />As you summarize at the very end of your post, this may involve a significant timeline analysis and some good fortune, but may not yield an ironclad link between the image and the physical device info.<br /><br />Has anything popped up on your horizon in the passing years on this matter?- George -https://www.blogger.com/profile/14741145788471439752noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-30211338510817350472007-11-23T11:26:00.000-05:002007-11-23T11:26:00.000-05:00I see. Let me check out your book first for more i...I see. Let me check out your book first for more information. Thanks! :)<BR/><BR/>stardustAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-9518042.post-53145302057209280182007-11-23T07:46:00.000-05:002007-11-23T07:46:00.000-05:00It's not the usual "\??\Storage\..." that we see w...<I>It's not the usual "\??\Storage\..." that we see when we plugged in a thumbdrive.</I><BR/><BR/>From the graphic you posted on flickr, it appears that the system has recognized this device more as an external hard drive, than an a removable storage device.<BR/><BR/>I have a WD PassPort USB-connected 120GB drive, and it get's recognized in the same manner as you've presented above. I've got some information about this in my book, <I>Windows Forensic Analysis</I>.H. Carveyhttps://www.blogger.com/profile/08966595734678290320noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-43322386345804450062007-11-22T20:43:00.000-05:002007-11-22T20:43:00.000-05:00I had assumed that all USB storage devices connect...I had assumed that all USB storage devices connected to the host would contains the "\??\Storage\.." value but somehow, it wasn't the case?<BR/><BR/>stardustAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-9518042.post-23718327833102589392007-11-22T20:40:00.000-05:002007-11-22T20:40:00.000-05:00keydet89,Here's a screenshot of the binary value i...keydet89,<BR/><BR/>Here's a screenshot of the binary value in DosDeviceG when i plugged in my external USB hdd into my host machine:<BR/><BR/>http://www.flickr.com/photos/21152357@N04/2055535783/<BR/><BR/>It's not the usual "\??\Storage\..." that we see when we plugged in a thumbdrive.<BR/><BR/>Cheers,<BR/>stardustAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-9518042.post-35527898729027970232007-11-22T08:11:00.000-05:002007-11-22T08:11:00.000-05:00stardust,I'd have to see an example of what you're...stardust,<BR/><BR/>I'd have to see an example of what you're referring to...H. Carveyhttps://www.blogger.com/profile/08966595734678290320noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-89514561444531179092007-11-22T02:02:00.000-05:002007-11-22T02:02:00.000-05:00Hi Keydet89,Interestingly, I'm doing something as ...Hi Keydet89,<BR/><BR/>Interestingly, I'm doing something as to what you've blogged. However, I noticed that if the device connected is an external USB drive, the DosDevice entry will not store the string "\??\STORAGE Removeablemedia", instead i see non-ascii values.<BR/><BR/>This is killing my brain cells as my program will fail to determine if the drive is a removable storage.<BR/><BR/>You have any ideas or workarounds?<BR/><BR/>- stardustAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-9518042.post-83980159485708800002007-04-24T17:19:00.000-05:002007-04-24T17:19:00.000-05:00srobtjones,"I have found that a thumb drive's seri...srobtjones,<BR/><BR/>"I have found that a thumb drive's serial number was reported"<BR/><BR/>Yes, I'm sure. I've written about this on numberous occaisions, as well as blogged about it. <BR/><BR/>"...i have found a match between what the Tableau device reports as a serial number and what is listed within the info displayed within the USBSTOR"<BR/><BR/>I'm sure...because if a serial number exists for the device, it is in the device descriptor, which means that what is in the USBStor key and what is being reported by the Tableau device is being pulled from the same location.<BR/><BR/>Reading through the rest of your comment, it's clear that there's some confusion here. What you are seeing in the USBStor key is the device's serial number. This is not a volume serial number. The VSN is the serial number assigned to a volume when the volume is formatted, as referenced by the documentation I've linked to.<BR/><BR/>Thanks for your comments.H. Carveyhttps://www.blogger.com/profile/08966595734678290320noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-89313736962685066482007-04-16T13:51:00.000-05:002007-04-16T13:51:00.000-05:00Harlan,I have seen situations when using EnCase to...Harlan,<BR/><BR/>I have seen situations when using EnCase to review the USBSTOR entries I have found that a thumb drive's serial number was reported. When connected to my Tableau USB write blocker, I checked the information reported regarding frimware version, serial number, etc., and sure enough, it matched what was reported by the USBSTOR entry within EnCase.<BR/><BR/>Of course, this is not always the case, and I find that the more well-known a device is, the better such a correlation exists. For example, my own experience is that for SanDisk thumb drives, more often than not, i have found a match between what the Tableau device reports as a serial number and what is listed within the info displayed within the USBSTOR.<BR/><BR/>So I guess my point is that is is possible that the serial number is reported by the USBSTOR information, but as there is yet no hard-fast rule regarding this, each vendor is free to do whatever they want, so perhaps it is still at best a case-by-case basis.<BR/><BR/>Or perhaps you might argue that this "serial number" is vague in that it might be the volume serial number or a hardware/device serial number. This brings up another query:<BR/><BR/>As long as it matches the evidence I have from within the setupi.log and/or USBSTOR entries, does it matter? a match strongly supports the connection, so does it matter as long as it matches?<BR/><BR/>This is the heart of the matter, isn't it?<BR/><BR/>-srobtjonesMEhttps://www.blogger.com/profile/01427398304140405674noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-88601852362311390962007-04-16T11:49:00.000-05:002007-04-16T11:49:00.000-05:00Heath,Nice to know you are still out there kicking...Heath,<BR/><BR/><I>Nice to know you are still out there kicking it up. </I><BR/><BR/>Thanks. Have we met?<BR/><BR/><I>Point me to the BEST resources for learning PERL when you get a chance, or do I need to wait to read the book?</I><BR/><BR/>It depends on what you want to do. The *best* resource, IMHO, is the OReilly books, and if you want to go specifically Windows, <A HREF="http://www.roth.net" REL="nofollow">Dave Roth</A>'s books are <B>THE BEST</B>!! <BR/><BR/>I started with "Learning Perl on Win32 Systems", and moved on to "Advanced Perl Programming". However, I really have to say that most of my really exceptional leaps in knowledge have been from interacting with others, and looking at the code written by others.<BR/><BR/>Hope that helps!H. Carveyhttps://www.blogger.com/profile/08966595734678290320noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-76456935479828384552007-04-13T12:21:00.000-05:002007-04-13T12:21:00.000-05:00Harlan!Looking forward to getting a copy of the bo...Harlan!<BR/><BR/>Looking forward to getting a copy of the book. Nice to know you are still out there kicking it up. <BR/><BR/>Point me to the BEST resources for learning PERL when you get a chance, or do I need to wait to read the book?<BR/><BR/>Hope it sells millions!Unknownhttps://www.blogger.com/profile/12524487145355202565noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-11231899901463584792007-04-11T19:18:00.000-05:002007-04-11T19:18:00.000-05:00I'm sure you'll find evidence in the UserAssist ke...I'm sure you'll find evidence in the UserAssist key that the MMC associated with the DiskManager was run, but beyond that, what information is usually left over when someone formats a disk or volume? <BR/><BR/>From my perspective, I don't know of any. I'd like to better understand your thought processes with regards to what you're thinking is in the NTUSER.DAT.H. Carveyhttps://www.blogger.com/profile/08966595734678290320noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-57637434925025972332007-04-11T07:39:00.000-05:002007-04-11T07:39:00.000-05:00I was going to go ahead and experiment with it a l...I was going to go ahead and experiment with it a little bit today. No immediate thoughts on where, just a thought that it might exist there.hogflyhttps://www.blogger.com/profile/00741773109962883616noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-82890861124492001562007-04-11T05:30:00.000-05:002007-04-11T05:30:00.000-05:00Interesting...any thoughts on where to look?Interesting...any thoughts on where to look?H. Carveyhttps://www.blogger.com/profile/08966595734678290320noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-25952868587611419482007-04-09T23:19:00.000-05:002007-04-09T23:19:00.000-05:00Harlan,I wonder if the information is actually lef...Harlan,<BR/>I wonder if the information is actually left over in the ntuser.dat of the user that formatted the volume?hogflyhttps://www.blogger.com/profile/00741773109962883616noreply@blogger.com