This is the second blog post in a series of five about recovering Business Applications & OS Artifacts for your digital forensics investigations.
Whether you’re a corporate examiner working an intellectual property theft, or a law enforcement investigator searching for illicit images, most forensic examiners have investigated the USB device history of a computer. When examining USBs, it’s just as important to identify the user who connected the device, as it is to analyze the data that may have been transferred to or from the system.
There are five key pieces of information that need to be found when investigating USB device history. With the data from each of these sources, investigators can better understand how USB devices have been used on a given system, and possibly how a suspect might have used a USB device in the commission of a crime or incident.
The majority of the artifacts associated with USB device history are located in the Windows registry of a computer, and can be parsed by tools such as Internet Evidence Finder (IEF), Harlan Carvey’s RegRipper, AccessData’s Registry Viewer, or manually with Windows regedit.
5 Key Artifacts That Need to be Found When Investigating USB Device History:
Unfortunately investigating USB devices isn’t always that easy, as there are scenarios where the USB doesn’t interact with the system as described above. This is where devices using the Media Transfer Protocol (or MTP) are introduced.
How to Investigate MTP Devices
Originally designed for portable media devices such as MP3 players, MTP (Media Transfer Protocol) devices aren’t quite as common as USB devices and keys, but they are quite popular with mobile devices including Android, BlackBerry and Windows Phone. Different drivers are used on a Windows system when an MTP device is connected, versus when a traditional USB mass storage device is.
One major difference for forensic investigators looking at MTP device history is that because an MTP device is not a USB mass storage device, it doesn’t produce an entry in the USBSTOR key in the SYSTEM hive, nor will the MountPoints2 key in the NTUSER.dat hive list a drive letter for an MTP device because Windows does not assign drive letters to MTP devices. It is important to recognize these changes as investigators rely on these locations to enumerate the USB devices connected to a computer.
Making USB Analysis Easier with Internet Evidence Finder (IEF)
Above, we discussed a number of ways to manually identify USB devices connected to a system, but collecting all the information from various registry keys and logs can be incredibly time consuming, which is why forensic tools are key to help you automate the collection process.
Internet Evidence Finder can now recover USB device history, which means the artifacts that need to be collected for each USB entry can be automatically found by the software, organized and presented to the investigator, saving them the time it takes to do the manual work.
Here’s an example of what a USB artifact looks like after it has been found by an IEF search:
IEF will parse the registry hives and setupapi.log locations mentioned above, then present the investigator with details on all of the USB and MTP devices connected to a system. Associated user, mounted drive letter, first and last time connected as well as many other details are recovered and organized for the investigator to quickly analyze and determine what is relevant to their investigation. Examiners must still understand the locations and details around a particular artifact if they are to successfully analyze its significance, but much of the manual collection work is done automatically for the investigator, so they can focus on the analysis of the data.
As always, feel free to get in touch with me by emailing jamie(dot)mcquaid(at)magnetforensics(dot)com. Or, you can ask me a question here.
Related resources you might be interested in:
Forensics Consultant, Magnet Forensics