Automated tools
Second, if possible use USBDeview tool from Nirsoft (they have some amazing collection of tools)
List USB devices plugged in
PowerShell to Get USBstor list.
Get-ItemProperty -Path HKLM:SYSTEM\CurrentControlSet\Enum\USBSTOR\*\* | Select FriendlyName, PSChildName, ContainerID, ClassGUID
Also, fetch Get Mounted Device list. This PowerShell script fetches mounted USB data from the registry:
Write-Output "Data from mounted devides at HKLM:\SYSTEM\MountedDevices\"
Write-Output "Good Only at parsing USB device data there, Other data might not get parsed properly "
$RegKey=(Get-ItemProperty -Path "HKLM:\SYSTEM\MountedDevices\")
$RegKey.PSObject.Properties | ForEach-Object {
If($_.Name -like '\*'){
$out = new-object psobject
$val=[System.Text.Encoding]::Unicode.GetString($_.Value)
If($val -match "&"){
$serial =$val.Split("#")[2]
$Type=$val.Split("&")[0].Split("#")[1]
$vendor= $val.Split("&")[1].Split("_")[1]
$prod=$val.Split("&")[2].Substring($val.Split("&")[2].IndexOf("_")+1)
$out | add-member noteproperty Serial $serial
$out | add-member noteproperty Type $Type
$out | add-member noteproperty vendor $vendor
$out | add-member noteproperty Product $prod
write-output $out}
}
}
Raw results for the above script.$RegKey=(Get-ItemProperty -Path "HKLM:\SYSTEM\MountedDevices\")
$RegKey.PSObject.Properties | ForEach-Object {
If($_.Name -like '\*'){
$val=[System.Text.Encoding]::Unicode.GetString($_.Value)
Write-output $_.Name '=' $val
}
}
Last Insertion\Removal of USB (time)
For all Registry locations Mentioned below get the Last Written time for the registry key. this can be fetched in 2 ways:
1. Manual Approach: export the registry key as a text file using Regedit.
2. Registry Snapshot: use any free tool to create a snapshot of registry and load registry snapshot using Access-data's free registry Viewer.
MSC type Devices
Last
Insertion Timestamp from USBSTOR Key [ in Windows 10, Windows 8]
HKLM\CurrentControlSet\Enum \USBSTOR\Disk&Ven_[VendorName]&Prod_[ProductName] &Rev_1.00\[SerialNo]\Properties\{83da6326-97a6-4088-9453-a 1923f573b29}\0066
Last Removal
Timestamp from USBSTOR Key
HKLM\SYSTEM\CurrentControlSet
\Enum\USBSTOR\Disk&Ven_[VendorName]&Prod_[Product
Name]&Rev_1.00\[SerialNo]\Properties\{83da6326-97a6-4088-
9453-a1923f573b29}\0067
Last
insertion time from System Hive under USB
Key
HKLM\SYSTEM\CurrentControlSet \Enum\USB\VID_[VendorID]&PID_[ProductID]\[SerialNo]
HKLM\SYSTEM\CurrentControlSet \Enum\USB\VID_[VendorID]&PID_[ProductID]\[SerialNo]
From Event logs
Location: Microsoft/Windows/
DeviceSetupManager/Admin
EventID: 112
Description: Gives Timestamp of
every time USB inserted into the system. It has no device specification
information. To correlate this event with a device, ContainerID found from
USBSTOR key is used. Here {ID} is ContainerID of device.
Important Device classes locations for USB
HKLM\SYSTEM\CurrentControlSet\Control\DeviceClasses, are:
•
53f56307-b6bf-11d0-94f2-00a0c91efb8b
•
53f5630d-b6bf-11d0-94f2-00a0c91efb8b
MTP and PTP type Devices
Last Insertion
Timestamp from USB Key [Windows 10, Windows 8]
HKLM\SYSTEM\CurrentControlSet\Enum\USBSTOR\VID_[VendorID]&PID_[ProductID]\[SerialNo]\Properties\{83da6326-97a6-4088-9453
a1923f573b29}\0066.
Last Removal Timestamp from USB Key
HKLM\SYSTEM\CurrentControlSet\Enum\USBSTOR\VID_[VendorID]&PID_[ProductID]\[SerialNo]\Properties\{83da6326-97a6-4088-9453
a1923f573b29}\0067
From Event Logs
Location:
Microsoft\Windows\ WPDMTPClassDriver\Operational
EventID: 1000, 1001, 1003
Description: Last insertion timestamp of MTP- and PTP-enabled USB devices. It does not have an identification feature of a device. To chain events, we need to link Execution ProcessID and ThreadID
Description: Last insertion timestamp of MTP- and PTP-enabled USB devices. It does not have an identification feature of a device. To chain events, we need to link Execution ProcessID and ThreadID
Location: Microsoft\Windows\ WPDMTPClassDriver\Operational
Event
ID:1002
Description: Operational Last removal timestamp of MTP- and PTP-enabled USB devices. It does not have an identification feature of a device. To chain events, we need to link Execution ProcessID and ThreadID.
Description: Operational Last removal timestamp of MTP- and PTP-enabled USB devices. It does not have an identification feature of a device. To chain events, we need to link Execution ProcessID and ThreadID.
References
https://www.researchgate.net/publication/318514858_USB_Storage_Device_Forensics_for_Windows_10
https://www.forensicswiki.org/wiki/USB
No comments:
Post a Comment