Difference between pages "USB History Viewing" and "VPN"

From Forensics Wiki
(Difference between pages)
Jump to: navigation, search
 
(See Also)
 
Line 1: Line 1:
Microsoft [[Windows]] operating systems records artifacts when [[USB]] removable storage devices (thumb drives, iPods, digital cameras, external HDD, etc.) are connected to the system.
+
{{expand}}
  
== Plug and Play Manager ==
+
'''VPN''' (Virtual Private Network) is a class of technology that allows remote machines to interconnect by creating a virtual network layer, on top of the physical network connection, that in practice is used to maintain the privacy of data shared over this virtual network connection (essentially all VPN toolsets use some form of packet-level [[encryption]]). There are many different modern implementations of the VPN concept itself, to the point where categorizing them together becomes somewhat questionable.
  
When a USB removable storage device is connected to a Windows system for the first time, the Plug and Play (PnP) Manager receives the event notification, queries the device descriptor for the appropriate information to develop a device class identifier (device class ID) and attempts to locate the appropriate driver for that device. 
+
== Overview ==
  
Looking for and installing the correct driver for the device is recorded in the [http://www.microsoft.com/whdc/driver/install/setupapilog.mspx setupapi.log] file.  For example:
+
Virtual Private Networks are deployed by organizations and individuals for different purposes:
  
    [2007/06/10 21:25:41 1140.8 Driver Install]
+
* Protecting confidential information in organizations (for example, when connecting geographically distant office networks);
    #-019 Searching for hardware ID(s): usbstor\disksandisk_u3_cruzer_micro_3.27,...
+
* Providing "work from home" or traveling employees with secure remote access to office network resources;
 +
* Securing general Internet traffic in particularly insecure network usage settings (e.g. open wireless networks);
 +
* Encrypting all internet traffic to and from a home connection, to prevent ISP packet shaping and/or surveillance (i.e. [http://www.torrentfreedom.net Torrentfreedom Privacy]).
  
This provides the date and time that the removable storage device was first connected to the system. The Windows system will also create an entry in the Registry beneath the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR\ key using the device class ID:
+
When used for Internet connectivity, VPN service also acts as a form of proxy and protects the user's real IP address from public display. As a result, they are an increasingly popular form of anonymity protection for ordinary internet users and criminals.
  
    Disk&Ven_SanDisk&Prod_U3_Cruzer_Micro&Rev_3.27
+
== VPNs and anonymity ==
  
This identifies the class of the device.  Beneath this [[Windows Registry|Registry key]], a unique instance ID key will be created, using either the serial number retrieved from the device's device descriptor (you can use [http://www.microsoft.com/whdc/device/stream/vidcap/UVCView.mspx UVCView] to view the contents of the device descriptor), or, if the device does not have a serial number, using an identifier generated by the system itself (based on additional information retrieved from the device descriptor, the USB port the device was plugged into, etc...the vendor has not publicized the algorithm used to generate this identifier). For example:
+
* Log files: VPN services may maintain usage logs which could then be used to track the activities of the user of those services, after the fact. However some commercial consumer-oriented VPN services specifically configure their servers not to retain any logfile information of this type. An example is [[Cryptocloud VPN]].
  
    0000161511737EFB&0
+
* Protocol stack: [[TCP timestamps]] and IP ID values may be used in correlating incoming (encrypted) and outgoing (unencrypted) network streams. This type of "traffic analysis" can, in theory, be used to gather information about a fully-encrypted VPN connection - in practice, there are no known public examples of traffic analysis being used against commercial VPN service providers.
  
Note: If the second character of the unique instance ID is a '&', then the ID was generated by the system, as the device did not have a serial number.
+
== See Also ==
  
Note: The device descriptor is not located in the memory area of the device.  While you can acquire an image of the device using any number of imaging tools, that image will not include the device descriptor.  For complete documentation of the device, the device descriptor should be retrieved separately from the image acquisition process, using tools such as UVCView.
+
* [[iVPN]]
 +
* [[Cryptocloud VPN]]
 +
* [[Tor]]
 +
* [[Proxy server]]
  
== Device Information ==
+
[[Category:Anti-Forensics]]
 
+
[[Category:Network Forensics]]
Beneath this key are several Registry values that provide information about the device itself.  Of particular note is the ParentIdPrefix value; this value can be used to map to the MountedDevices Registry key in order to identify the drive letter to which the device was mounted.  Beneath the MountedDevices Registry key are several values, all of which are REG_BINARY data types.  With RegEdit open, select one of the values that begins with "\DosDevices\" and includes a drive letter.  The value selected should be one whose data begins with "5C 00 3F 00 3F 00".  Right-click the value name and choose "Modify".  When the "Edit Binary Value" dialog appears, you will see the binary data displayed as if it were viewed in a hex viewer.  On the right-most column, you should see what appears as:
+
[[Category:Encryption]]
 
+
    \??\STORAGE#RemovableMedia#'''7&2c9a320d&0'''&RM#{53f5630d...
+
 
+
The portion in bold is the ParentIdPrefix for the device.
+
 
+
In order to determine the last time the device was connected to the system, we have to navigate to the following Registry key:
+
 
+
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceClasses
+
 
+
Beneath this key are two other keys of interest:
+
 
+
    {53f56307-b6bf-11d0-94f2-00a0c91efb8b}
+
 
+
and
+
 
+
    {53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
+
 
+
These are Device Class [[Universally Unique Identifier|GUID]] keys for Disks and Volumes, respectively.  Beneath the Disk GUID key are several subkeys that appear as follows (the key name is wrapped):
+
 
+
    ##?#USBSTOR#Disk&Ven_SanDisk&Prod_U3_Cruzer_Micro&Rev_3.27#'''0000161511737EFB&0'''
+
    #{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
+
 
+
The bold portion of the key name is the devices unique instance ID, which in this case, is also the device's serial number.  Similarly, the Volume GUID key contains subkeys for each volume that was mounted on the system, and those subkey names appear as follows:
+
 
+
    ##?#STORAGE#RemovableMedia#'''7&2c9a320d&0'''&RM#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
+
 
+
The bold portion of the key name is the ParentIdPrefix value for the device.
+
 
+
To determine when the device was last connected to the system, obtain the LastWrite time value from the respective Disk and Volume GUID Registry keys for the device.
+
 
+
== U3-enabled Devices ==
+
 
+
Many thumb drives that are available come with the capability of being used as a portable desktop.  In essence, the device includes a suite of applications (web browser, etc.) that have been specifically configured to run from the device, as well as store data within the memory area of the device.  These applications are stored within a CDFS partition on the device, and appear with a device class ID (beneath the Enum\USBStor Registry key) similar to the following:
+
 
+
    CdRom&Ven_SanDisk&Prod_U3_Cruzer_Micro&Rev_3.27
+
 
+
By default, [[Windows]] systems are configured to parse autorun.inf files found in the root of certain media, and to execute the "load=" and "run=" lines of those files for CDFS volumes (among others).  However, by default, the systems are configured to NOT execute the "load=" and "run=" lines for autorun.inf files located on removable media, such as thumb drives (this behavior is controlled by a Registry entry and can be modified).
+
 
+
== External Links ==
+
 
+
[http://www.nirsoft.net/utils/usb_devices_view.html USBDeview] is a tool that automates the viewing of USB device history for Windows 2000/XP/2003/Vista systems. It can recover the device name, description, last plug/unplug date & time, and serial number.
+
 
+
[http://msdn2.microsoft.com/en-us/library/aa906848.aspx UVCView] or the USB Video Class descriptor viewer is a tool in the [[Windows]] Driver Kit (WDK) that allows you to view the descriptors of any attached USB device. It runs on most recent windows platforms, both 32bit and 64bit.
+
 
+
[[Category:Howtos]]
+

Revision as of 08:09, 27 April 2011

Information icon.png

Please help to improve this article by expanding it.
Further information might be found on the discussion page.

VPN (Virtual Private Network) is a class of technology that allows remote machines to interconnect by creating a virtual network layer, on top of the physical network connection, that in practice is used to maintain the privacy of data shared over this virtual network connection (essentially all VPN toolsets use some form of packet-level encryption). There are many different modern implementations of the VPN concept itself, to the point where categorizing them together becomes somewhat questionable.

Overview

Virtual Private Networks are deployed by organizations and individuals for different purposes:

  • Protecting confidential information in organizations (for example, when connecting geographically distant office networks);
  • Providing "work from home" or traveling employees with secure remote access to office network resources;
  • Securing general Internet traffic in particularly insecure network usage settings (e.g. open wireless networks);
  • Encrypting all internet traffic to and from a home connection, to prevent ISP packet shaping and/or surveillance (i.e. Torrentfreedom Privacy).

When used for Internet connectivity, VPN service also acts as a form of proxy and protects the user's real IP address from public display. As a result, they are an increasingly popular form of anonymity protection for ordinary internet users and criminals.

VPNs and anonymity

  • Log files: VPN services may maintain usage logs which could then be used to track the activities of the user of those services, after the fact. However some commercial consumer-oriented VPN services specifically configure their servers not to retain any logfile information of this type. An example is Cryptocloud VPN.
  • Protocol stack: TCP timestamps and IP ID values may be used in correlating incoming (encrypted) and outgoing (unencrypted) network streams. This type of "traffic analysis" can, in theory, be used to gather information about a fully-encrypted VPN connection - in practice, there are no known public examples of traffic analysis being used against commercial VPN service providers.

See Also