USB Artifacts - caitlinmallen/TechWiki GitHub Wiki

USB Artifacts

USB Device Tracking

  • Many different artifacts have to be correlated and linked together
  • Device artifacts
    • Windows registry
      • 7 Different locations at least
    • Setupapi logs
    • Windows event logs
      • 3 different logs at least
    • LNK Files
    • Jump lists
    • Prefetch files

User visible items

  • Volume label and drive letter
  • Make and model of USB Drive

USB Device Tracking

  • For every USB device, Windows stores
    • Make, model, product version
    • UniqueID and Serial Number
    • Type of device, class, hardware, and compatibility
    • Volume GUIDs
    • Last drive letter
    • Volume serial number
    • Volume label
    • Container ID
  • Dates of first and last insertion directly available from Windows 8 on
    • Not possible in earlier operating system versions

DeviceContainers

  • Added in Windows 7
  • Groups all devices by a single hardware device into one container

Registry Location 1: USBSTOR Key

  • HKLM\SYSTEM\CurrentControlSet\Enum\USBSTOR
  • Format: Type&Ven_xxxx&Prod_xxxx&Rev_xxx
  • Serial Number is used to correlate with other artifacts in the registry
    • XP had ParentPrefixID along with Serial Number
  • Windows will assign a serial number if it does not have one
  • Some other interesting details lie in the properties section
    • Drive date - 02
    • Date of first install - 64
    • Date of install - 65
    • Date of last arrival - 66
    • Date of last removal – 67

Registry Location 2: MountedDevices

  • HKLM\SYSTEM\MountedDevices
  • Lists all volumes ever mounted on that machine
    • Details include the same information found in USBSTOR key

Registry Location 3: Windows Portable Devices

  • HKLM\SOFTWARE\Microsoft\Windows Portable Devices\Devices

Windows Registry Location 4: MountPoints2

  • HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2
  • Lists all volumes mounted by Windows Explorer when a particular user is logged on
    • The list is never deleted

Windows Registry Location 5: EMDMgmt

  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\EMDMgmt
  • EMDMgmt = External Memory Device Management
  • Only on Windows Vista and above, the key manages functionality like ReadyBoot
  • Key names includes all information that USBSTOR has and ends with VolumeLabel_VolumeSerialNumber
  • Old values never deleted or replaced and the same drive formatted many times can be detected here

Other Registry Locations

  • Most of the same information available under:
    • HKLM\SYSTEM\CurrentControlSet\Enum\USB
    • HKLM\SYSTEM\CurrentControlSet\Enum\STORAGE
    • HKLM\SYSTEM\CurrentControlSet\Control\DeviceClasses
    • HKLM\SYSTEM\CurrentControlSet\Control\DeviceContainers
      • From Windows 7 onward
    • HKLM\SYSTEM\CurrentControlSet\Enum\WpbBusEnumRoot\UMB
      • Only on Windows 7

Setupapi Log

  • On Windows 8, Setupapi.dev.log
    • Located at C:\Windows\inf\Setupapi.dev.log
    • Not meant for information retrieval, meant for debugging
    • Stores more detailed information
  • Can be correlated with Registry data

Upon device insertion

  • log
    • Windows searches for suitable drivers for the device and installs them
  • Registry keys
    • Most deleted within 30 days
    • USBSTOR, MoutedDevices, MountPoints2, Windows Portable Devices, EMDMgmt, USB STORAGE, DeviceContainers
  • Windows event logs updated
    • DeviceSetupManager/Admin
    • Kernel-PnP
    • Kernel-PnPConfig

Event Logs

  • DeviceSetupManager/Admin – EventID 112
    • References product name and containerID