Difference between pages "USB History Viewing" and "Bibliography"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
 
(Evidence Gathering: Added article on methods of retrieving digital evidence.)
 
Line 1: Line 1:
Windows systems (Microsoft Windows 2000/XP/2003/Vista) will record artifacts as a result of USB removable storage devices (thumb drives, iPods, digital cameras, external HDD, etc.) being connected to the system.
+
=Disk Disposal and Data Recovery=
 +
* [http://forensic.belkasoft.com/download/info/SSD%20Forensics%202012.pdf Why SSD Drives Destroy Court Evidence, and What Can Be Done About It] by Oleg Afonin and Yuri Gubanov, 2012
 +
* [http://www.deepspar.com/pdf/DeepSparDiskImagingWhitepaper3.pdf Disk Imaging: A Vital Step in Data Recovery], DeepSpar Data Recovery Systems, November 2006. An in depth look at the many issues that cause data loss / irretrievable data in the data recovery imaging process and how to overcome them.
 +
* [http://www.actionfront.com/ts_whitepaper.asp Drive-Independent Data Recovery: The Current State-of-the-Art], ActionFront Data Recovery Labs, August 2005.
 +
* [[Recovering Overwritten Data#The Gutmann Paper|Secure Deletion of Data from Magnetic and Solid-State Memory]], Peter Gutmann, Proceedings of the Sixth Usenix Security Symposium, 1996. [http://www.cs.auckland.ac.nz/~pgut001/pubs/secure_del.html]
 +
* [http://www-03.ibm.com/financing/pdf/us/recovery/igf4-a032.pdf Hard Drive Disposal: The Overlooked Confidentiality Exposure], FInancial Perspectives, IBM White Paper, November 2003.
  
When a USB removable storage device is connected to a Windows system for the first time, the Plug and Play (PnP) Manager receives the event notification, queries the device descriptor for the appropriate information to develop a device class identifier (device class ID) and attempts to locate the appropriate driver for that device.
+
<bibtex>
 +
@Article{garfinkel:remembrance,
 +
  author =      "Simson Garfinkel and Abhi Shelat",
 +
  author_a =      "Simson L. Garfinkel and Abhi Shelat",
 +
  title =        "Remembrance of Data Passed",
 +
  journal =      "{IEEE} Security and Privacy Magazine",
 +
  publisher =    "IEEE",
 +
  year      =        "2002",
 +
  month    = Jan,
 +
  url="http://www.simson.net/clips/academic/2003.IEEE.DiskDriveForensics.pdf"
 +
}
 +
</bibtex>
  
Looking for and installing the correct driver for the device is recorded in the [http://www.microsoft.com/whdc/driver/install/setupapilog.mspx setupapi.log] file.  For example:
+
=Evidence Gathering=
  
    [2007/06/10 21:25:41 1140.8 Driver Install]
+
* [http://belkasoft.com/download/info/Live_RAM_Analysis_in_Digital_Forensics.pdf Discovering ephemeral evidence with Live RAM analysis] by Oleg Afonin and Yuri Gubanov, 2013
    #-019 Searching for hardware ID(s): usbstor\disksandisk_u3_cruzer_micro_3.27,...
+
* [http://belkasoft.com/download/info/Retrieving%20Digital%20Evidence%20-%20Methods,%20Techniques%20and%20Issues.pdf Retrieving Digital Evidence: Methods, Techniques and Issues] by Yuri Gubanov, 2012
 +
* [http://utdallas.edu/~sxs018540/index/docs/byteprints_itcc05.pdf Byteprints: A Tool to Gather Digital Evidence], Sriranjani Sitaraman, Srinivasan Krishnamurthy and S. Venkatesan, Proceedings of the International Conference on Information Technology (ITCC 2005), Las Vegas, Nevada, USA, April 4 - 6, 2005
  
This provides the date and time that the removable storage device was first connected to the system.  The Windows system will also create an entry in the Registry beneath the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR\ key using the device class ID:
+
=Fake Information=
  
    Disk&Ven_SanDisk&Prod_U3_Cruzer_Micro&Rev_3.27
+
* [https://analysis.mitre.org/proceedings/Final_Papers_Files/84_Camera_Ready_Paper.pdf Automatic Detection of Fake File Systems], Neil C. Rowe, International Conference on Intelligence Analysis Methods and Tools, McLean, Virginia, May 2005.
  
This identifies the class of the device.  Beneath this Registry key, a unique instance ID key will be created, using either the serial number retrieved from the device's device descriptor (you can use [http://www.microsoft.com/whdc/device/stream/vidcap/UVCView.mspx UVCView] to view the contents of the device descriptor), or, if the device does not have a serial number, using an identifier generated by the system itself (based on additional information retrieved from the device descriptor, the USB port the device was plugged into, etc...the vendor has not publicized the algorithm used to generate this identifier).  For example:
+
=Feature Extraction and Data Fusion=
 +
Computer Location Determination Through Geoparsing and Geocoding of
 +
Extracted Features
 +
http://www2.chadsteel.com:8080/Publications/drive_location2.doc
 +
<bibtex>
 +
@inproceedings{garfinkel:cda,
 +
  title="Forensic feature extraction and cross-drive analysis",
 +
  author="Simson Garfinkel",
 +
  booktitle={Proceedings of the 6th Annual Digital Forensic Research Workshop (DFRWS)},
 +
  address = "Lafayette, Indiana",
 +
  journal="Digital Investigation",
 +
  year=2006,
 +
  month=Aug,
 +
  url="http://www.dfrws.org/2006/proceedings/10-Garfinkel.pdf",
 +
  location="Lafayette, Indiana"
 +
}
 +
</bibtex>
  
    0000161511737EFB&0
+
=Text Mining=
  
Note: If the second character of the unique instance ID is a '&', then the ID was generated by the system, as the device did not have a serial number.
+
'''Computer Forensic Text Analysis with Open Source Software,''' Christian Johansson, Masters Thesis, Blekinge Tekniska Hogskola, June 2003  http://www.fukt.bth.se/~uncle/papers/master/thesis.pdf
  
Beneath this key are several Registry values that provide information about the device itself.  Of particular note is the ParentIdPrefix value; this value can be used to map to the MountedDevices Registry key in order to identify the drive letter to which the device was mounted.  Beneath the MountedDevices Registry key are several values, all of which are REG_BINARY data types.  With RegEdit open, select one of the values that begins with "\DosDevices\" and includes a drive letter. The value selected should be one whose data begins with "5C 00 3F 00 3F 00".  Right-click the value name and choose "Modify". When the "Edit Binary Value" dialog appears, you will see the binary data displayed as if it were viewed in a hex viewer. On the right-most column, you should see what appears as:
+
=Signed Evidence=
 +
<bibtex>
 +
@article{duerr-2004,
 +
  title="Information Assurance Applied to Authentication of Digital Evidence",
 +
  author="Thomas E. Duerr and Nicholas D. Beser and Gregory P. Staisiunas",
 +
  year=2004,
 +
  journal="Forensic Science Communications",
 +
  volume=6,
 +
  number=4,
 +
  url="http://www.fbi.gov/hq/lab/fsc/backissu/oct2004/research/2004_10_research01.htm"
 +
}
 +
  </bibtex>
  
    \??\STORAGE#RemovableMedia#'''7&2c9a320d&0'''&RM#{53f5630d...
 
  
The portion in bold is the ParentIdPrefix for the device.
+
<bibtex>
 +
@article{OppligerR03,
 +
  author    = {Rolf Oppliger and Ruedi Rytz},
 +
  title    = {Digital Evidence: Dream and Reality},
 +
  journal  = {IEEE Security {\&} Privacy},
 +
  volume    = {1},
 +
  number    = {5},
 +
  year      = {2003},
 +
  pages    = {44-48},
 +
  url      = {http://doi.ieeecomputersociety.org/10.1109/MSECP.2003.1236234},
 +
  abstract="Digital evidence is inherently weak. New evidence-gathering technologies-digital black boxes-must be developed and deployed to support investigations of irreproducible events such as digitally signing a document."
 +
}
 +
</bibtex>
  
In order to determine the last time the device was connected to the system, we have to navigate to the following Registry key:
+
=Theory=
 +
'''A Hypothesis-Based Approach to Digital Forensic Investigations,''' Brian D. Carrier, Ph.D. Dissertation
 +
Purdue University, May 2006 https://www.cerias.purdue.edu/tools_and_resources/bibtex_archive/archive/2006-06.pdf
  
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceClasses
+
=Other Papers=
  
Beneath this key are two other keys of interest:
+
* [http://papers.ssrn.com/sol3/papers.cfm?abstract_id=531782 A Model for When Disclosure Helps Security: What is Different About Computer and Network Security?], Peter P. Swire, Moritz College of Law of the Ohio State University, Journal on Telecommunications and High Technology Law, Vol. 2, 2004.
  
    {53f56307-b6bf-11d0-94f2-00a0c91efb8b}
+
[[Category:Bibliographies]]
 
+
and
+
 
+
    {53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
+
 
+
These are Device Class GUID keys for Disks and Volumes, respectively.  Beneath the Disk GUID key are several subkeys that appear as follows (the key name is wrapped):
+
 
+
    ##?#USBSTOR#Disk&Ven_SanDisk&Prod_U3_Cruzer_Micro&Rev_3.27#'''0000161511737EFB&0'''
+
    #{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
+
 
+
The bold portion of the key name is the devices unique instance ID, which in this case, is also the device's serial number.  Similarly, the Volume GUID key contains subkeys for each volume that was mounted on the system, and those subkey names appear as follows:
+
 
+
    ##?#STORAGE#RemovableMedia#'''7&2c9a320d&0'''&RM#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
+
 
+
The bold portion of the key name is the ParentIdPrefix value for the device.
+
 
+
To determine when the device was last connected to the system, obtain the LastWrite time value from the respective Disk and Volume GUID Registry keys for the device.
+
 
+
----
+
 
+
You can view a history of USB devices plugged into Windows systems (Windows 2000/XP/2003/Vista) by using [http://www.nirsoft.net/utils/usb_devices_view.html USBDeview].
+
 
+
To do this, extract the SYSTEM file from c:\Windows\System32\config (or equivalent path.) 
+
 
+
You can do this indirectly via Encase or any other system imaging format/type (.dd, .e01, etc) by extracting the "SYSTEM" file from the image to a local path.
+
 
+
Once this is complete, open up a command prompt and run USBDeview.  Example:
+
 
+
  usbdeview.exe /regfile "c:\case number\system"
+
 
+
This provides information including the device name, description, last plug/unplug date & time, serial number, etc.
+
 
+
[[Category:Howtos]]
+

Latest revision as of 07:29, 26 June 2013

Disk Disposal and Data Recovery

Simson Garfinkel, Abhi Shelat - Remembrance of Data Passed
{IEEE} Security and Privacy Magazine , January 2002
http://www.simson.net/clips/academic/2003.IEEE.DiskDriveForensics.pdf
Bibtex
Author : Simson Garfinkel, Abhi Shelat
Title : Remembrance of Data Passed
In : {IEEE} Security and Privacy Magazine -
Address :
Date : January 2002

Evidence Gathering

Fake Information

Feature Extraction and Data Fusion

Computer Location Determination Through Geoparsing and Geocoding of Extracted Features http://www2.chadsteel.com:8080/Publications/drive_location2.doc

Simson Garfinkel - Forensic feature extraction and cross-drive analysis
Proceedings of the 6th Annual Digital Forensic Research Workshop (DFRWS) , Lafayette, Indiana, August 2006
http://www.dfrws.org/2006/proceedings/10-Garfinkel.pdf
Bibtex
Author : Simson Garfinkel
Title : Forensic feature extraction and cross-drive analysis
In : Proceedings of the 6th Annual Digital Forensic Research Workshop (DFRWS) -
Address : Lafayette, Indiana
Date : August 2006

Text Mining

Computer Forensic Text Analysis with Open Source Software, Christian Johansson, Masters Thesis, Blekinge Tekniska Hogskola, June 2003 http://www.fukt.bth.se/~uncle/papers/master/thesis.pdf

Signed Evidence

Thomas E. Duerr, Nicholas D. Beser, Gregory P. Staisiunas - Information Assurance Applied to Authentication of Digital Evidence
Forensic Science Communications 6(4),2004
http://www.fbi.gov/hq/lab/fsc/backissu/oct2004/research/2004_10_research01.htm
Bibtex
Author : Thomas E. Duerr, Nicholas D. Beser, Gregory P. Staisiunas
Title : Information Assurance Applied to Authentication of Digital Evidence
In : Forensic Science Communications -
Address :
Date : 2004


Rolf Oppliger, Ruedi Rytz - Digital Evidence: Dream and Reality
IEEE Security {\&} Privacy 1(5):44-48,2003
http://doi.ieeecomputersociety.org/10.1109/MSECP.2003.1236234
Bibtex
Author : Rolf Oppliger, Ruedi Rytz
Title : Digital Evidence: Dream and Reality
In : IEEE Security {\&} Privacy -
Address :
Date : 2003

Theory

A Hypothesis-Based Approach to Digital Forensic Investigations, Brian D. Carrier, Ph.D. Dissertation Purdue University, May 2006 https://www.cerias.purdue.edu/tools_and_resources/bibtex_archive/archive/2006-06.pdf

Other Papers