Home windows Incident Response: USB Units Redux


Again in 2005, Cory Altheide and I printed the first paper on monitoring USB storage units throughout Home windows techniques; on the time, the main target was Home windows XP. Loads has occurred since then…I do know, that is an understatement…because the Home windows platform has developed and expanded, initially with Vista, then Home windows 7, and even with Home windows 10 there have been developments which have come (and gone) simply between the assorted Win10 builds.

With respect to USB units specifically, not way back, we (the group) turned conscious that the Microsoft-Home windows-DriverFrameworks-UserMode/Operational Occasion Log contained fairly a bit of data (see this publish for occasion IDs to trace) {that a} digital forensic analyst may use to find out if and when USB units had been linked to (and disconnected from) the system. This was a reasonably profound discovering, and really worthwhile…after which, for some unknown cause, that Home windows Occasion Log was disabled by default.
Additionally, in researching info for this subject, I discovered that the EMDMgmt key within the Software program hive, which is related to ReadyBoost and supplied perception into USB-connected units, is not obtainable both. Okay, so one much less artifact, one artifact faraway from the constellation…now we simply have to adapt.

That is actually nothing new, to be sincere. DFIR analysts want to be adaptable, no matter whether or not we’re in a guide or FTE position. In case you’re a guide, you are going to see a brand new setting on each engagement, and there will probably be new issues to cope with and uncover. Some time again, a teammate found that the shopper had LANDesk put in on their techniques, and the software program monitoring element recorded a substantial amount of info relating to executed processes proper there within the Registry. It isn’t too completely different in an inner, FTE position, as you are seemingly going to run throughout legacy builds, software program hundreds that have not been/cannot be up to date for some cause, functions or packages customers have put in particularly to satisfy the wants of their division or of a buyer, and many others. Additional, we have seen varied assets come and go; for instance, we received used to having Registry hive backups obtainable throughout investigations, after which we misplaced entry to them; they’re not obtainable by default. Along with the Microsoft-Home windows-DriverFrameworks-UserMode/Operational Occasion Log, the Microsoft-Home windows-TaskScheduler/Operational Occasion Log appears to be disabled by default. As such, once we discover {that a} information supply or artifact that we’re aware of and used to utilizing is not obtainable, we’ve to spend money on figuring out an alternate means for figuring out the identical or related info; we’ve to rebuild these artifact constellations.

One thing else that has developed over time alongside the event of the Home windows platform is how USB units are handled. For instance, Nicole Ibrahim described a while in the past how some USB linked units, particularly smartphones, are handled in another way primarily based on the protocol used. Nicole’s presentation on the subject might be discovered right here.

The general level is that we will not take into account all USB-connected units to be the identical, and as such, we could have to look in several places inside the OS, together with completely different places inside the Registry and inside completely different Home windows Occasion Logs, to search out the data pursuant to our evaluation targets. Pursuant to this, I sat down with my very own native system and began going by way of the Home windows Occasion Logs, through the Occasion Viewer, separately, in search of indications of linked units. What I discovered was that data of connections had been dispersed throughout a number of logs, relying upon the kind of gadget linked (i.e., smartphone/digital digital camera, ext HDD w/ enclosure, thumb drive, and many others.).

As a caveat, these occasion data usually are not unique; that’s to say that the person occasion supply/ID pairs don’t pertain solely to USB linked units. In lots of circumstances, the identical occasion supply/ID pair was discovered to include info particular to the native bodily onerous drive, in addition to to the completely different volumes on that tough drive. Additionally, all of those occasions are for the newest construct of Home windows 10 solely, as a result of that is all I’ve to check towards.

So here is a have a look at the 5 assets I discovered; have in mind that is restricted primarily based on what I’ve obtainable to check with, nevertheless it ought to function a great place to begin…

Microsoft-Home windows-WPD-MTPClassDriver/Operational.evtx

Occasion Supply: WPD-MTPClassDriver

Occasion ID: 1005

Fig 1: Occasion ID 1005

Determine 1 illustrates the place I would linked my iPhone to the system to tug photos; I even have entries for my iPod (sure, I nonetheless have an iPod…) the place I needed to switch music to my iPhone. Because of the protocol used, that is additionally the place we might seemingly discover digital cameras, as effectively.

Microsoft-Home windows-DeviceSetupManager/Admin

Occasion Supply: DeviceSetupManager

Occasion ID: 112

Fig 2: Occasion ID 112

Determine 2 reveals the place I would linked a SanDisk Cruzer thumb drive to the pc.

Microsoft-Home windows-StorageSpaces-Driver/Operational.evtx

Occasion Supply: StorageSpaces-Driver

Occasion ID: 207

Fig 3: Occasion ID 207

I shared determine 3 as a result of that is particularly an exterior HDD, a kind of “pockets” drives with a small kind issue/enclosure. This gadget is sufficiently small that it is powered from the USB connection; I haven’t got a bigger enclosure that requires an extra energy supply to check towards.

Microsoft-Home windows-Partition/Diagnostic.evtx

Occasion Supply: Partition

Occasion ID: 1006

Fig 4: Occasion ID 1006, XML view

Determine 4 is a bit completely different, as a result of the “pleasant view” merely says, “for inner use solely”. Nevertheless, looking on the XML view, we see that the SanDisk Cruzer thumb drive and it is serial quantity pops proper out!

Microsoft-Home windows-Ntfs/Operational.evtx

Occasion Supply: Ntfs

Occasion ID: 145, 142

Fig 5: Occasion ID 145

Determine 5 reveals the Ntfs/145 occasion file (partially) from a earlier connection of the SanDisk Cruzer thumb drive. Occasion ID 142 offers extra info, together with relating to the quantity task (C:, D:, F:, and many others.), if the quantity is bootable, and many others., which can be utilized to tie to shellbags and Home windows Moveable Units artifacts within the Registry.


From a forensic perspective, for those who’re all in favour of monitoring USB units linked to techniques, I would advocate enabling the Microsoft-Home windows-DriverFrameworks-UserMode/Operational Occasion Log, forwarding these occasion data off of the system (for processing through a SIEM), in addition to menace looking or another mechanism to make sure that if the log is disabled once more that that is detected and responded to within the applicable method.

Observe that enabling the Microsoft-Home windows-DriverFrameworks-UserMode/Operational Occasion Log is as easy as setting the “Enabled” worth within the HKLM\SOFTWARE\Microsoft\Home windows\CurrentVersion\WINEVT\Channels\Microsoft-Home windows-DriverFrameworks-UserMode/Operational key to “1” and rebooting the system. As a tip to DFIR analysts who have to carry out verification and to menace hunters, the reverse method (setting the “Enabled” worth to “0”) can be utilized disable normally-available Home windows Occasion Logs.



Leave a Comment