Difference between pages "USB History Viewing" and "Windows 8"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
 
(New Features)
 
Line 1: Line 1:
Windows systems (Microsoft Windows 2000/XP/2003/Vista) will record artifacts as a result of USB removable storage devices (thumb drives, iPods, digital cameras, external HDD, etc.) being connected to the system.
+
Initially Windows 8 had a workstation and server edition. The server edition became Windows Server 2012.
  
When a USB removable storage device is connected to a Windows system for the first time, the Plug and Play (PnP) Manager receives the event notification, queries the device descriptor for the appropriate information to develop a device class identifier (device class ID) and attempts to locate the appropriate driver for that device. 
+
== New Features ==
 +
The following new features were introduced in Windows 8:
 +
* [[Windows Shadow Volumes | File History]]
 +
* [[Windows Storage Spaces | Storage Spaces]]
 +
* [[Search Charm History]]
  
Looking for and installing the correct driver for the device is recorded in the [http://www.microsoft.com/whdc/driver/install/setupapilog.mspx setupapi.log] file. For example:
+
== File System ==
 +
The file system used by Windows 8 is primarily [[NTFS]].
  
    [2007/06/10 21:25:41 1140.8 Driver Install]
+
The [[Resilient File System (ReFS)]] was initially available in the Windows 8 server edition but became part of Windows 2012 server edition.
    #-019 Searching for hardware ID(s): usbstor\disksandisk_u3_cruzer_micro_3.27,...
+
  
This provides the date and time that the removable storage device was first connected to the system.  The Windows system will also create an entry in the Registry beneath the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR\ key using the device class ID:
+
== Jump Lists ==
 +
[[Jump Lists]] are Task Bar artifacts that were first introduced on Windows 7 and are also available on Windows 8.
  
    Disk&Ven_SanDisk&Prod_U3_Cruzer_Micro&Rev_3.27
+
== Prefetch ==
 +
The prefetch hash function is similar to [[Windows 2008]].
  
This identifies the class of the device.  Beneath this Registry key, a unique instance ID key will be created, using either the serial number retrieved from the device's device descriptor (you can use [http://www.microsoft.com/whdc/device/stream/vidcap/UVCView.mspx UVCView] to view the contents of the device descriptor), or, if the device does not have a serial number, using an identifier generated by the system itself (based on additional information retrieved from the device descriptor, the USB port the device was plugged into, etc...the vendor has not publicized the algorithm used to generate this identifier). For example:
+
== Registry ==
 +
The [[Windows_Registry|Windows Registry]] remains a core component of the Windows operating system.
  
    0000161511737EFB&0
+
== See Also ==
 +
* [[Windows]]
 +
* [[Windows Vista]]
 +
* [[Windows 7]]
  
Note: If the second character of the unique instance ID is a '&', then the ID was generated by the system, as the device did not have a serial number.
+
== External Links ==
 +
* [http://en.wikipedia.org/wiki/Features_new_to_Windows_8 Features new to Windows 8], Wikipedia
 +
* [http://computerforensics.champlain.edu/blog/windows-8-forensics Windows 8 Forensics - part 1]
 +
* [http://computerforensics.champlain.edu/blog/windows-8-forensics-part-2 Windows 8 Forensics - part 2]
 +
* [http://computerforensics.champlain.edu/blog/windows-8-forensics-part-3 Windows 8 Forensics - part 3]
 +
* [http://propellerheadforensics.files.wordpress.com/2012/05/thomson_windows-8-forensic-guide2.pdf Windows 8 Forensic Guide], by [[Amanda Thomson|Amanda C. F. Thomson]], 2012
 +
* [http://forensicfocus.com/Forums/viewtopic/t=9604/ Forensic Focus: Windows 8 Forensics - A First Look], [http://www.youtube.com/watch?v=uhCooEz9FQs&feature=youtu.be Presentation], [http://www.forensicfocus.com/downloads/windows-8-forensics-josh-brunty.pdf Slides], by [[Josh Brunty]], August 2012
 +
* [http://dfstream.blogspot.ch/2013/03/windows-8-tracking-opened-photos.html Windows 8: Tracking Opened Photos], by [[Jason Hale]], March 8, 2013
 +
* [http://dfstream.blogspot.com/2013/09/windows-8-and-81-search-charm-history.html indows 8 and 8.1: Search Charm History], by [[Jason Hale]], September 9, 2013
  
Beneath this key are several Registry values that provide information about the device itself.  Of particular note is the ParentIdPrefix value; this value can be used to map to the MountedDevices Registry key in order to identify the drive letter to which the device was mounted.  Beneath the MountedDevices Registry key are several values, all of which are REG_BINARY data types.  With RegEdit open, select one of the values that begins with "\DosDevices\" and includes a drive letter.  The value selected should be one whose data begins with "5C 00 3F 00 3F 00".  Right-click the value name and choose "Modify".  When the "Edit Binary Value" dialog appears, you will see the binary data displayed as if it were viewed in a hex viewer.  On the right-most column, you should see what appears as:
+
[[Category:Operating systems]]
 
+
    \??\STORAGE#RemovableMedia#'''7&2c9a320d&0'''&RM#{53f5630d...
+
 
+
The portion in bold is the ParentIdPrefix for the device.
+
 
+
In order to determine the last time the device was connected to the system, we have to navigate to the following Registry key:
+
 
+
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceClasses
+
 
+
Beneath this key are two other keys of interest:
+
 
+
    {53f56307-b6bf-11d0-94f2-00a0c91efb8b}
+
 
+
and
+
 
+
    {53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
+
 
+
These are Device Class GUID keys for Disks and Volumes, respectively.  Beneath the Disk GUID key are several subkeys that appear as follows (the key name is wrapped):
+
 
+
    ##?#USBSTOR#Disk&Ven_SanDisk&Prod_U3_Cruzer_Micro&Rev_3.27#'''0000161511737EFB&0'''
+
    #{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
+
 
+
The bold portion of the key name is the devices unique instance ID, which in this case, is also the device's serial number.  Similarly, the Volume GUID key contains subkeys for each volume that was mounted on the system, and those subkey names appear as follows:
+
 
+
    ##?#STORAGE#RemovableMedia#'''7&2c9a320d&0'''&RM#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
+
 
+
The bold portion of the key name is the ParentIdPrefix value for the device.
+
 
+
To determine when the device was last connected to the system, obtain the LastWrite time value from the respective Disk and Volume GUID Registry keys for the device.
+
 
+
----
+
 
+
You can view a history of USB devices plugged into Windows systems (Windows 2000/XP/2003/Vista) by using [http://www.nirsoft.net/utils/usb_devices_view.html USBDeview].
+
 
+
To do this, extract the SYSTEM file from c:\Windows\System32\config (or equivalent path.) 
+
 
+
You can do this indirectly via Encase or any other system imaging format/type (.dd, .e01, etc) by extracting the "SYSTEM" file from the image to a local path.
+
 
+
Once this is complete, open up a command prompt and run USBDeview.  Example:
+
 
+
  usbdeview.exe /regfile "c:\case number\system"
+
 
+
This provides information including the device name, description, last plug/unplug date & time, serial number, etc.
+
 
+
[[Category:Howtos]]
+

Revision as of 13:15, 20 October 2013

Initially Windows 8 had a workstation and server edition. The server edition became Windows Server 2012.

New Features

The following new features were introduced in Windows 8:

File System

The file system used by Windows 8 is primarily NTFS.

The Resilient File System (ReFS) was initially available in the Windows 8 server edition but became part of Windows 2012 server edition.

Jump Lists

Jump Lists are Task Bar artifacts that were first introduced on Windows 7 and are also available on Windows 8.

Prefetch

The prefetch hash function is similar to Windows 2008.

Registry

The Windows Registry remains a core component of the Windows operating system.

See Also

External Links