Although portable USB drives have become a permanent fixture in the everyday life of the typical user, these devices continue to challenge the security of our networks. This was never more evident than in 2008 when the Conficker virus rapidly spread across the Internet infecting millions of home and business computers, even managing to make its way onto the US Department of Defense classified and unclassified networks. It was at this point people really began to consider the implications of allowing users to freely plug USB drives into protected networks. In addition to being a very effective transmission media for self replicating malware, these devices can also be used to remove sensitive, proprietary, or classified information from a network without authorization. It’s for these reasons that forensic examination of systems with a focus on USB drive artifacts has become a hot topic over the past several years.
Artifacts that Matter
When discussing a system in the context of forensic examination we refer to the items left behind by a particular activity as artifacts. When you browse to a website in Internet Explorer you leave in artifact in the browser history that you visited that site. When you log into a system you leave an entry in the system security log; another artifact. When examining a system for details or regarding a system compromise or data exfiltration it’s these artifacts that provide clues to help build a picture of what happened. Pretty much anything you do on a system leaves some form of artifact. This applies to USB drives as well. The question then becomes, what artifacts are of importance to us, and where can we find them.
The artifacts of a USB drives presence that are meaningful to you will depend mostly on the circumstances surrounding your investigation. It may be the case that you need to see enumerate all of the USB storage devices plugged into a potentially infected machine to see where the infection may have spread. It may be a case, where you think a user may have copied data onto a drive in an unauthorized manner and you need to determine the time periods in which their personal drive was plugged into the system. Regardless of your purpose there are a few key places within a Windows system where these types of information are housed.
Extracting USB Artifacts Manually
The most fundamental way to access USB drive artifacts is to manually browse to where the information is held. In this article I’ll focus on where these locations are in Windows 7.
The first and easiest information to extract is a listing of all USB storage devices that have ever been plugged into the sytem. This information can be found readily available in the Windows registry at: HKLM\SYSTEM\CurrentControlSet\Enum\USBSTOR. Within this area you will find a key for each drive that has been plugged into the system, along with its Vendor, Product Number, Version Number, and Serial Number where available.
Figure 1: A listing of several USB drives that have been plugged into a Windows 7 computer
After you have a listing of the drives that have been used you will need to attribute those to specific users. This can be done but it takes a few additional steps. Within the registry you will first need to locate HKLM\SYSTEM\MountedDevices. Within this area you can search for the serial number of the drive in question. Once found, this key should provide you with the GUID associated with the device.
With the drives GUID in hand examination will now focus on the individual user profiles on the machine. Inside each users profile folder (C:\Users) there will be an NTUSER.DAT file. This file is what gets accessed as HKEY_CURRENT_USER whenever its owner logs into the system. As a result, this file can be opened with the system registry editor with administrative permissions. In order to tie a user to a particular device you will need to browse to the following directory within the NTUSER.DAT hive: Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2. Here you can search for the GUID of the device in question. If it is found, then that user was logged in when that device was inserted into the system. Keep in mind that this search must be performed for every user on the system when attempting this type of correlation.
Figure 2: Searching the NTUSER.DAT file for a USB device GUID
One of the most important facets to forensic investigation is the timing of the events surrounding the incident being investigated. As a result, its crucial to know when a suspect USB device was connected or disconnected from the system.
Determining the time the drive was first connected to the system is quite easy assuming you have the serial number of the device (which we did a few steps earlier). Given that information, locate the file C:\Windows\inf\setupapi.dev.log and do a simple search for that serial number and you will have the time the drive was first plugged in.
Figure 3: Searching setupapi.dev.log for the time a USB device was first plugged in
On the flip side, it’s also necessary to determine the most recent time a drive was connected to a system. In order to access this information we will once again look into the registry at HKLM/System/CurrentControlSet\Enum\USB\VID_12345&PID_12345, substituting “12345” for the USB devices Vendor and Product ID (obtained earlier in this article). Here, you can export the registry key as a text file to view the last write time of the key. This is done by clicking File, and then Export from within regedit while the key is selected.
Figure 4: Determining the last time a USB drive was connected from the registry
Automating Artifact Extraction
Do you remember when you were in 4th grade and your teacher taught you long division, and just about the time you had it all figured out they showed you short division and you wondered why they didn’t lead with that? This is a similar circumstance. While it’s important to know how to extract this information manually, there are tools that can automate the process.
Two tools that I’ve had direct experience with are USBDeview and Windows USB Storage (USBSTOR) Parser. The first, USBDeview is a GUI tool that can extract and display all of the information I’ve shown you how to manually extract. It is a free download from here. The other tool I mention has a similar functionality and runs on both Windows and Linux. You can download this tool from here.
Figure 5: Using USBDeview to view USB hard drive artifacts
Unless you are in an environment that completely disallows USB devices all together then it’s likely you will at some point have a network security related event that involves a portable USB storage device. When that occurs, this article should provide some of the knowledge necessary in order to help piece together the puzzle and handle the incident appropriately.