[ad_1]
That is actually nothing new, to be sincere. DFIR analysts want to be adaptable, no matter whether or not we’re in a guide or FTE position. In case you’re a guide, you are going to see a brand new setting on each engagement, and there will probably be new issues to cope with and uncover. Some time again, a teammate found that the shopper had LANDesk put in on their techniques, and the software program monitoring element recorded a substantial amount of info relating to executed processes proper there within the Registry. It isn’t too completely different in an inner, FTE position, as you are seemingly going to run throughout legacy builds, software program hundreds that have not been/cannot be up to date for some cause, functions or packages customers have put in particularly to satisfy the wants of their division or of a buyer, and many others. Additional, we have seen varied assets come and go; for instance, we received used to having Registry hive backups obtainable throughout investigations, after which we misplaced entry to them; they’re not obtainable by default. Along with the Microsoft-Home windows-DriverFrameworks-UserMode/Operational Occasion Log, the Microsoft-Home windows-TaskScheduler/Operational Occasion Log appears to be disabled by default. As such, once we discover {that a} information supply or artifact that we’re aware of and used to utilizing is not obtainable, we’ve to spend money on figuring out an alternate means for figuring out the identical or related info; we’ve to rebuild these artifact constellations.
The general level is that we will not take into account all USB-connected units to be the identical, and as such, we could have to look in several places inside the OS, together with completely different places inside the Registry and inside completely different Home windows Occasion Logs, to search out the data pursuant to our evaluation targets. Pursuant to this, I sat down with my very own native system and began going by way of the Home windows Occasion Logs, through the Occasion Viewer, separately, in search of indications of linked units. What I discovered was that data of connections had been dispersed throughout a number of logs, relying upon the kind of gadget linked (i.e., smartphone/digital digital camera, ext HDD w/ enclosure, thumb drive, and many others.).
So here is a have a look at the 5 assets I discovered; have in mind that is restricted primarily based on what I’ve obtainable to check with, nevertheless it ought to function a great place to begin…
Microsoft-Home windows-WPD-MTPClassDriver/Operational.evtx
Occasion Supply: WPD-MTPClassDriver
Occasion ID: 1005
![]() |
Fig 1: Occasion ID 1005 |
Determine 1 illustrates the place I would linked my iPhone to the system to tug photos; I even have entries for my iPod (sure, I nonetheless have an iPod…) the place I needed to switch music to my iPhone. Because of the protocol used, that is additionally the place we might seemingly discover digital cameras, as effectively.
Microsoft-Home windows-DeviceSetupManager/Admin
Occasion Supply: DeviceSetupManager
Occasion ID: 112
![]() |
Fig 2: Occasion ID 112 |
Determine 2 reveals the place I would linked a SanDisk Cruzer thumb drive to the pc.
Microsoft-Home windows-StorageSpaces-Driver/Operational.evtx
Occasion Supply: StorageSpaces-Driver
Occasion ID: 207
![]() |
Fig 3: Occasion ID 207 |
I shared determine 3 as a result of that is particularly an exterior HDD, a kind of “pockets” drives with a small kind issue/enclosure. This gadget is sufficiently small that it is powered from the USB connection; I haven’t got a bigger enclosure that requires an extra energy supply to check towards.
Microsoft-Home windows-Partition/Diagnostic.evtx
Occasion Supply: Partition
Occasion ID: 1006
![]() |
Fig 4: Occasion ID 1006, XML view |
Determine 4 is a bit completely different, as a result of the “pleasant view” merely says, “for inner use solely”. Nevertheless, looking on the XML view, we see that the SanDisk Cruzer thumb drive and it is serial quantity pops proper out!
Microsoft-Home windows-Ntfs/Operational.evtx
Occasion Supply: Ntfs
Occasion ID: 145, 142
![]() |
Fig 5: Occasion ID 145 |
Determine 5 reveals the Ntfs/145 occasion file (partially) from a earlier connection of the SanDisk Cruzer thumb drive. Occasion ID 142 offers extra info, together with relating to the quantity task (C:, D:, F:, and many others.), if the quantity is bootable, and many others., which can be utilized to tie to shellbags and Home windows Moveable Units artifacts within the Registry.
Suggestions
From a forensic perspective, for those who’re all in favour of monitoring USB units linked to techniques, I would advocate enabling the Microsoft-Home windows-DriverFrameworks-UserMode/Operational Occasion Log, forwarding these occasion data off of the system (for processing through a SIEM), in addition to menace looking or another mechanism to make sure that if the log is disabled once more that that is detected and responded to within the applicable method.
Observe that enabling the Microsoft-Home windows-DriverFrameworks-UserMode/Operational Occasion Log is as easy as setting the “Enabled” worth within the HKLM\SOFTWARE\Microsoft\Home windows\CurrentVersion\WINEVT\Channels\Microsoft-Home windows-DriverFrameworks-UserMode/Operational key to “1” and rebooting the system. As a tip to DFIR analysts who have to carry out verification and to menace hunters, the reverse method (setting the “Enabled” worth to “0”) can be utilized disable normally-available Home windows Occasion Logs.
[ad_2]