How to Analyze USB Device History in Windows


Analyze USB Device History in Windows

This is the second blog post in a series of five about recovering Business Applications & OS Artifacts for your digital forensics investigations.

Whether you’re a corporate examiner working an intellectual property theft, or a law enforcement investigator searching for illicit images, most forensic examiners have investigated the USB device history of a computer.  When examining USBs, it’s just as important to identify the user who connected the device, as it is to analyze the data that may have been transferred to or from the system.

There are five key pieces of information that need to be found when investigating USB device history.  With the data from each of these sources, investigators can better understand how USB devices have been used on a given system, and possibly how a suspect might have used a USB device in the commission of a crime or incident.

The majority of the artifacts associated with USB device history are located in the Windows registry of a computer, and can be parsed by tools such as Internet Evidence Finder (IEF), Harlan Carvey’s RegRipper, AccessData’s Registry Viewer, or manually with Windows regedit.

5 Key Artifacts That Need to be Found When Investigating USB Device History:

  1. The USBSTOR located in the SYSTEM hive (SYSTEM\CurrentControlSet\Enum\USBSTOR) USBSTOR contains details on the vendor and brand of USB device connected, along with the serial number of the device that can be used to match the mounted drive letter, user, and the first and last connected times of the device.
  2. The MountedDevices key (SYSTEM\MountedDevices)  Allows investigators to match the serial number to a given drive letter or volume that was mounted when the USB device was inserted. It’s possible that the investigator won’t be able to identify the drive letter if several USB devices have been added, since the mapped drive letter only shows the serial number for the most recently mounted device for each letter assigned.
  3. The MountPoints2 key found in a user’s NTUSER.dat hive (NTUSER.dat\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2) This information will reveal which user was logged in and active when the USB device was connected. MountPoints2 lists all of the device GUIDs that a particular user connected, so you might need to search through each NTUSER.dat hive on the system to identify which user connected a particular device.
  4. The USB key in the SYSTEM hive (SYSTEM\CurrentControlSet\Enum\USB)  This key provides investigators with vendor and product ID for a given device, but also provides the last time the USB device was connected to the system. Using the last write time for the key of the device serial number, investigators can identify the last time it was connected.
  5. The setupapi log (ROOT\Windows\inf\setupapi.dev.log  for Windows Vista/7/8)(ROOT\Windows\setupapi.log for Windows XP)  Searching for the serial number in this file will provide investigators with information on when the device was first connected to the system in local time. Examiners must exercise caution, as unlike the other timestamps mentioned in this article which are stored in UTC, the setupapi.log stores its data in the system’s local time and must be converted to UTC to correctly match any timeline analysis being performed by the investigator.

Unfortunately investigating USB devices isn’t always that easy, as there are scenarios where the USB doesn’t interact with the system as described above. This is where devices using the Media Transfer Protocol (or MTP) are introduced.

How to Investigate MTP Devices

Originally designed for portable media devices such as MP3 players, MTP (Media Transfer Protocol) devices aren’t quite as common as USB devices and keys, but they are quite popular with mobile devices including Android, BlackBerry and Windows Phone. Different drivers are used on a Windows system when an MTP device is connected, versus when a traditional USB mass storage device is.

One major difference for forensic investigators looking at MTP device history is that because an MTP device is not a USB mass storage device, it doesn’t produce an entry in the USBSTOR key in the SYSTEM hive, nor will the MountPoints2 key in the NTUSER.dat hive list a drive letter for an MTP device because Windows does not assign drive letters to MTP devices. It is important to recognize these changes as investigators rely on these locations to enumerate the USB devices connected to a computer.

Nicole Ibrahim has written and presented on MTP devices extensively, and anyone looking for additional information should check out her blog post or SANS DFIR Summit presentation.

Making USB Analysis Easier with Internet Evidence Finder (IEF)

Above, we discussed a number of ways to manually identify USB devices connected to a system, but collecting all the information from various registry keys and logs can be incredibly time consuming, which is why forensic tools are key to help you automate the collection process.

Internet Evidence Finder can now recover USB device history, which means the artifacts that need to be collected for each USB entry can be automatically found by the software, organized and presented to the investigator, saving them the time it takes to do the manual work.

Here’s an example of what a USB artifact looks like after it has been found by an IEF search:

  1. Device serial number from USBSTOR
  2. Last assigned drive letter from MountedDevices
  3. Associated user account from MountPoints2
  4. Last time connected from USB
  5. First time connected from setupapi.log

IEF will parse the registry hives and setupapi.log locations mentioned above, then present the investigator with details on all of the USB and MTP devices connected to a system. Associated user, mounted drive letter, first and last time connected as well as many other details are recovered and organized for the investigator to quickly analyze and determine what is relevant to their investigation.  Examiners must still understand the locations and details around a particular artifact if they are to successfully analyze its significance, but much of the manual collection work is done automatically for the investigator, so they can focus on the analysis of the data.

As always, feel free to get in touch with me by emailing jamie(dot)mcquaid(at)magnetforensics(dot)com. Or, you can ask me a question here. 

Related resources you might be interested in:

  1. See what IEF is all about: Attend a Demo
  2. Try IEF for Free:

Jamie McQuaid
Forensics Consultant, Magnet Forensics