Create an account Home  ·  Topics  ·  Downloads  ·  Your Account  ·  Submit News  ·  Top 10  
Modules
· Home
· Content
· FAQ
· Forensic Downloads
· Forensics Feedback
· Forums
· Members List
· Statistics
· Surveys
· Top 10
· Topics
· Training Reviews
· Web Links
· Your Account

Our Membership

Latest: alhakeem
New Today: 1
New Yesterday: 3
Overall: 29287

Computer Forensics
This is a free and open peer to peer medium for digital and computer forensics professionals and students. Please help us maintain it by contributing and perhaps linking to us from your own website.

Recent Posts

 Hash calculation between image and original file
 Final Year Project
 Android devices with PIN screen lock and without USBdebb. on
 Can file creation and modifications on pendrives be found?
 Viewing real MAC times of a timestomped file

Computer Forensics World Forums


Pages Served
We received
49954690
page views since August 2004

Security Sources

FTC
OnGuard Online
ISO 17799 ISO 27001
ISO 27000 Toolkit
ISO 27001 & 27000
Cryptography
Security Policies

Computer Forensics World: Forums

Computer Forensics World :: View topic - USB thumb drives
 Forum FAQForum FAQ   SearchSearch   UsergroupsUsergroups   ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 

USB thumb drives

 
Post new topic   Reply to topic    Computer Forensics World Forum Index -> Technical Issues: Peripherals
View previous topic :: View next topic  
Author Message
Jules
Newbie
Newbie


Joined: Mar 15, 2007
Posts: 1

PostPosted: Fri Mar 16, 2007 5:30 am    Post subject: USB thumb drives Reply with quote

I am researching what happens to your system files, logs and the registry when you hook up a USB thumb drive. I am looking for any useful information or links to check. Thanks so much for help.
Back to top
View user's profile
Complete
Newbie
Newbie


Joined: Aug 20, 2006
Posts: 287

PostPosted: Fri Mar 16, 2007 10:11 am    Post subject: Reply with quote

You could test it for yourself by using something like Process Monitor.

microsoft.com/technet/sysinternals/utilities/processmonitor.mspx
Back to top
View user's profile
Prickaerts
Newbie
Newbie


Joined: Jan 03, 2006
Posts: 255
Location: The Netherlands

PostPosted: Fri Mar 16, 2007 8:27 pm    Post subject: Reply with quote

Hi Jules,

Have a look at Filemon and Regmon.

Chris
Back to top
View user's profile Send e-mail Visit poster's website
psu1989
Newbie
Newbie


Joined: Sep 19, 2005
Posts: 47
Location: Hartford, CT

PostPosted: Sat Mar 17, 2007 1:59 am    Post subject: Reply with quote

Or use the search function of this site......

This has been discussed numerous times
_________________
Brian
Back to top
View user's profile
Cyber-Hick
Newbie
Newbie


Joined: Jun 03, 2007
Posts: 4

PostPosted: Mon Jun 04, 2007 12:12 pm    Post subject: Re: USB thumb drives Reply with quote

Jules wrote:
I am researching what happens to your system files, logs and the registry when you hook up a USB thumb drive. I am looking for any useful information or links to check. Thanks so much for help.


I do this alot as there is a policy against using thumb drives at the company where I work. There are two main registry areas that will be modified when you connect a thumb drive.

1. HKLM\System\CurrentControlSet\Eum\USBStor
This area contains an entry for any USB storage device connected to the system. That thumb drive's information is recorded here.


2. HKLMA\System\MountedDevices
This area contains the drive letters for all storage devices that have been connected to the system. So when the thumb drive was connected and mapped to drive f: that data is stored here. It's stored in Hex so you will need a Hex to ASCII translator to see the data. One other note, only the latest device is recorded. So if you plug in one Thumb drive and it maps to F:, then plug in another drive that is also mapped to f: only the second one is in the registry.

To map the two together, translate the Hex to ASCII in the MountedDevices to ASCII and it will show the ParentIDSuffix of the storage device that was mapped to that drive. That storage Id is recorded in the USBStor. So you can map the two together in this manner.

Hope this helps.
C-H
Back to top
View user's profile
Krypto_Knight
Newbie
Newbie


Joined: Jul 30, 2007
Posts: 4

PostPosted: Tue Jul 31, 2007 11:05 am    Post subject: USB Drive use on Computer Reply with quote

HKLM\System\CurrentControlSet\Eum\USBStor
HKLMA\System\MountedDevices

Are two registry keys that show USB use but what if I have a USB Thumbdrive and I want to link it to those keys? Where do I find the USB ID on the thumb drive?

Thanks in advance. I spent the last 4 years doing computer forensics for the AF and I didn't even know this site existed.
Back to top
View user's profile
PreferredUser
Newbie
Newbie


Joined: Jan 01, 2007
Posts: 1130
Location: USA

PostPosted: Tue Jul 31, 2007 12:14 pm    Post subject: Reply with quote

Krypto_Knight wrote:
Where do I find the USB ID on the thumb drive?
First, not all thumb drives have a SN or unique identifier. The Vendor ID (VID), Product ID (PID) and serial number are obtained from the standard Device Descriptor that every USB device must support. The means for obtaining the Device Descriptor is the same for any USB device. Microsoft Windows’ class drivers use it to distinguish between multiple attached instances of the same device. In other words, you can plug 20 identical Sony USB thumbdrives in any order on a PC, use and re-arrange them, and Windows will never confuse one for another. In fact, Windows XP will use the original drive letter assignments if available.

One way to read this info is to use the tool that developers use, USBView from the MS DDK - Windows Driver Development Kit. USBView is a free utility from Microsoft that displays the USB connection tree and shows the USB devices that are connected to it together with their configuration data. This is very useful for debugging USB enumeration errors.
w w w.microsoft.com/whdc/devtools/ddk/default.mspx

There is also a version of USBView for Linux
w w w.kroah.com/linux-usb/
Back to top
View user's profile
Krypto_Knight
Newbie
Newbie


Joined: Jul 30, 2007
Posts: 4

PostPosted: Tue Jul 31, 2007 10:39 pm    Post subject: Reply with quote

Thanks! Awesome, will the program give you date and time?

I have a follow up question regarding the serial number, Product ID, Vendor ID, and Device Descriptor:
I understand that Windows, using the device descriptor, can distinguish between multiple USB devices that are the same. But can I take the device descriptor from one machine and use it to see if the USB device associated with that descriptor was plugged into another windows box?
Back to top
View user's profile
PreferredUser
Newbie
Newbie


Joined: Jan 01, 2007
Posts: 1130
Location: USA

PostPosted: Wed Aug 01, 2007 12:28 am    Post subject: Reply with quote

No date and time.
-Device Descriptor (incl Vendor, Mfgr., ID, SN, etc.)
-Connection Status
-End Point Descriptor
-Configuration Descriptor
-Interface Descriptor

Krypto_Knight wrote:
But can I take the device descriptor from one machine and use it to see if the USB device associated with that descriptor was plugged into another windows box?
If the USB device has a SN or some other unique value you can track it between multiple machines.
Back to top
View user's profile
DennisBartlett
Newbie
Newbie


Joined: Jun 05, 2007
Posts: 4
Location: Cape Town, South Africa

PostPosted: Thu Aug 02, 2007 5:55 pm    Post subject: Reply with quote

the easiest is to write a hidden, read-only file onto every device that get attached defining computer detail. then when attached again read this and determine where it was last used. Very few people reformat their USB, and a simple ctrl-A delete doesn't delete the file (or at least it asks.)

one could try determining the specifics of the USB drive, but as companies normally buy these in bulk, they'd all be the same.

Dennis
NAXiAN Digital Forensics Solutions
Back to top
View user's profile Visit poster's website
ArchAngelz
Newbie
Newbie


Joined: Jun 19, 2008
Posts: 1

PostPosted: Fri Jun 20, 2008 10:26 am    Post subject: Reply with quote

Hi,

Just to use this existing thread.

You guys were saying that the two Registry keys were:

HKLM\System\CurrentControlSet\Eum\USBStor
HKLMA\System\MountedDevices

Does this mean if a user delete these two keys, all traces of USB devices would be removed and no longer traceable? Are there any other places to check?

Thanks!
Back to top
View user's profile
KenPryor
Newbie
Newbie


Joined: Oct 22, 2006
Posts: 58
Location: Robinson, IL

PostPosted: Sat Jun 21, 2008 11:07 am    Post subject: Reply with quote

You could possibly examine system restore points.
KP
Back to top
View user's profile
Display posts from previous:   
Post new topic   Reply to topic    Computer Forensics World Forum Index -> Technical Issues: Peripherals All times are GMT + 10 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

Powered by phpBB 2.0.10 © 2001 phpBB Group
phpBB port v2.1 based on Tom Nitzschner's phpbb2.0.6 upgraded to phpBB 2.0.4 standalone was developed and tested by:
ArtificialIntel, ChatServ, mikem,
sixonetonoffun and Paul Laudanski (aka Zhen-Xjell).

Version 2.1 by Nuke Cops © 2003 http://www.nukecops.com

Forums ©

 

TMs property of their respective owner. Comments property of posters. © 2007 Computer Forensics Science World.
Digital forensic computing news syndication: Computer Forensics Training News or UM Text
Software is copyrighted phpnuke.org (c)2003, and is free under licence agreement. All Rights Are Reserved.