USB Device Forensics Introduction

USB device forensics involves trying to understand every USB device that may have been connected to the system. This involves pinpointing the unique serial number, friendly names (human-understandable names), and other accessible information.

This information is traditionally found in the Windows Registry, but the Windows Registry is normally difficult to navigate through.

Importance

Not all illegal content will be stored locally on a machine. Some of the content will be stored on flash drives, SD cards, and/or hard drives that will then only be inserted into the computer when the suspect wants to access the content and then store it away afterward.

This makes USB forensics essential to understand to find clues to what devices were connected to the system. While some image and video forensics will store information about non-local accessed files, it is better to have as much evidence as possible and to find where the images were stored.

Evidence

As normal, the forensics tools being used are aimed to be free to use for everyone so that money is not a limiting factor.

USBDeview

USBDeview is a free Nirsoft tool and GUI-based program that collects USB device information from the Windows Registry of the local device.

USBDeview will record USB information such as device description, device type, serial numbers, and registry times that usually point to when the USB device was inserted into the device.

Running USBDeview on the machine, the program picked up all of the inserted USB devices plugged into the local machine: SD card, HDD, and a flash drive.

The Lexar flash drive that was found was the flash drive that is executing USBDeview.

In the image above, the USB devices found are not highlighted in green. USBDeview highlights the currently accessible USB devices in green, and the ones that are no longer connected to the local device are not highlighted at all.

USBDeview also notes the first time that the device was connected to the machine, when it was last connected, and when it was disconnected.

The above shows the information that is most likely to be useful for investigations: device description, device type, drive letter, serial number, friendly name, and time stamps.

Analysis

USBDeview found the following USB devices:

• SD Card: Generic
• HDD: WD My Passport 0820 USB Device
• Flash Drive: PNY USB 3.0 FD USB Device

USBDeview also finds the install times, or when the devices were first inserted into the local system and serial numbers. This shows when the devices were inserted into the computer first and the most recent time, which shows the activity of the device.

If the device has been accessed multiple times, it most likely means that the user has a reoccurring interest in the device, which may be a storage device that contains illegal content.

Since USBDeview also tries to figure out what drive letter matches where the external storage device was connected to, it may be possible comparing the sources of the image files to a specific device and obtain a warrant to investigate a device, which would have the serial number, type of device, and brand.

USBWindowsRegistry.ps1

USBDeview by Nirsoft is not perfect. Sometimes it does not pull all of the USB device information from the Windows Registry. The script created and placed into the "Code" portion of this Wiki pulls all of the USB devices that are located in the Windows Registry under the USBSTOR portion and lists the unique serial numbers, USB type, and friendly name.

Remember to run as Administrator

As shown in the image above, device information is shown under "FriendlyName", and then the PSChildName contains the serial numbers for the USB devices that have been connected.

The serial numbers match all of the devices found in USBDeview except the WD My Passport.

Analysis

The powershell script found the following USB devices:

• SD Card: Generic
• HDD: WD My Passport 0820 USB Device
• Flash Drive: PNY USB 3.0 FD USB Device

However, the serial number for WD My Passport does not match the one that was found in USBDeview. The serial number found in this script should be the one taken into account as it is pulled directly from the registry.

This script is best used in conjunction with USBDeview to double-check information and fill in any blanks that USBDeview may have.

setupapi.dev

Under C:\Windows\INF\setupapi*.dev.log, there is information about when the devices have been plugged into a device along with other information about the device that was plugged in.

After selecting the file, search the file for "[Device Install (Hardware initiated)"

Entering that search term will result in finding when devices were plugged in or initiated on the local machine.

The information listed below the entries contains a lot of important log information about when the device was inserted on the "Section start" date.

Analysis

setupapi.dev.log found the following USB Devices:

• SD Card: Generic

• Flash Drive: PNY USB 3.0 FD USB Device

• HDD: WD My Passport 0820 USB Device

Strangely, the external HDD device that was plugged in was not found in the setupapi.dev.log in the traditional format but instead was found in the image shown above that listed all of the USBSTOR devices.

Overall, setupapi.dev.log is difficult to navigate through and the information available is difficult to parse through what is important for the case and what is not. While the devices are found along with the times that they have been inserted into the local machine and their unique serial numbers, this information is not solely found in setupapi.dev.log, and the recommended use for this file is to verify data that has already been found.

setupai.dev.log does track how many times a USB device has been inserted into the local machine, however, so that information would be useful to look into to see how frequently a drive was accessed using setupapi.dev.log.

Implications

The information tracked by Windows on previously accessed USB devices is essential to investigations that are focused on finding digital content that may be located on devices. External devices are commonly used to store excess information, but also may be used to hide illicit information in small flash drives that are later stored away and need extra permissions to access.

Using the information that Windows provides about the previously accessed external drives will provide more evidence and clues about what the drive is and what it is used for. It also will help to pinpoint what the drive is to apply for search warrants for that device.

USBDeview is the easiest tool to use currently, and it provides a lot of essential information about when the device was last accessed, the first time it was accessed, a description of the device, and what the device is.

USBDeview in conjunction with the script that was created and noted in this Wiki can help verify information, such as unique device serial numbers to determine which device is needed if there are multiple of the same type.

setupapi.dev.log can then provide information to both verify the information that was already found and then provide dates and timestamps of when these devices were inserted into the local system.