-
-
USB-Device-Forensics
-
USB Device Forensics By: Janet Smith Modern USB storage devices can carry the digitized contents of the entire library of congress in the palm of a hand. The major convince allow shuttling presentations, software or any other type of code between computers; however these devices can be used for a nefarious purpose. It can be used for data exfiltration, which is essentially the transfer of information to an unauthorized party. When a business has confidential information, it is at risk of data exfiltration. This data includes formulas, plans, designs, sales data, customer list and many others. Any information giving a competitor an advantage can be exfiltrated. Once data is compromised, security and legal professionals turn to computer forensic examiners. These digital investigators rely on a myriad of tools and techniques to uncover digital evidence and trace the steps of cybercriminals. USB data exfiltration leaves behind a range of digital traces from the windows registry to various log files. Let’s explore some of those valuable artifacts. The computer forensics examiner seeks to reconstructing a timeline of when external devices were attached to the system. The USB device connection timestamps reside in the registry, event logs, or other system records. This timeline helps investigators understand the sequence of events leading to the data exfiltration or breach. Before diving into how to recreate a timeline, it is helpful to understand why the Windows registry exists. The Windows Registry is a centralized hierarchical database that stores configuration settings and options for the Microsoft operating system. It serves as a repository for information about the system's hardware, software, user preferences, and system settings. The Registry is used by the Windows operating system and applications to access and store configuration data in a structured and organized manner. In forensics investigation the windows registry contains a host of important information. Microsoft didn’t create the registry to make an investigator’s job easier. It was created to store a variety of information such as: Configuration Settings: The Registry stores a wide range of configuration settings for the operating system and installed applications. This includes information about device drivers, system settings, application preferences, a list of devices, which has been connected. User Profiles: User-specific settings are stored in the Registry, allowing each user to have their own custom configurations, preferences, and desktop settings. System Information: The Registry contains information about the system's hardware, installed software, and other system-related details. This information is used by the operating system and applications to interact with the hardware and software components effectively. Application Settings: Many applications store their configuration settings in the Registry. This allows for a centralized location where applications can retrieve their specific settings. Just to name a few. The computer forensic examiner uses this information to unearth digital traces which are left behind by connected removable store devices. The first step is to locate the files containing the windows registry. This may variety depending on the operating system but they are usually located within the Windows\System32\config directory. The specific files are:
To open and view the contents of Windows Registry files, you can export the data from the forensic image and use native windows tools in order to view this information or you can use purpose built forensics tools. Let’s begin with the tool built into the windows operating system known as regedit. Here are the steps to open Windows Registry files: Open the Run dialog:
Once opened the following registry hives are available. In the Windows Registry, specifically under the "HKEY_CLASSES_ROOT" (often abbreviated as HKCR) hive, you'll find information related to file associations and class registrations. HKEY_CLASSES_ROOT HKEY_CLASSES_ROOT (often abbreviated as HKCR) hive contains file associations and class registrations. This hive is a merged view of two other hives: HKEY_LOCAL_MACHINE\Software\Classes and HKEY_CURRENT_USER\Software\Classes. File Associations: Information about which applications are associated with specific file types. For example, it may specify that .txt files are associated with Notepad. COM Objects: Information about Component Object Model (COM) objects and their associated ProgIDs (Programmatic Identifiers). COM objects are used for software components and inter-process communication. Shell Commands: Information about context menu entries and shell commands associated with specific file types or classes. File Type Icons: Information about the icons associated with different file types. Class Identifiers (CLSID): GUIDs that represent specific classes or objects in the system. Extensions: Information about file extensions and their associated file types. MIME Types: Information about Multipurpose Internet Mail Extensions (MIME) types used for identifying file types on the internet. HKEY_CURRENT_USER The HKEY_CURRENT_USER (often abbreviated as HKCU) hive in the Windows Registry contains configuration information specific to the currently logged-in user. This hive is dynamic and changes based on the user who is currently logged in. Here are some types of data you can find under HKEY_CURRENT_USER: User-specific Settings: Preferences and settings for the currently logged-in user, such as desktop background, screen saver settings, window positions, and more. Software Configuration: Configuration settings for software applications that are installed on a per-user basis. This is where applications may store user-specific preferences and settings. Explorer Settings: Settings related to Windows Explorer, including folder view options, recent documents, and other file management preferences. Control Panel Settings: Some settings related to the Control Panel and its components. Network Configuration: User-specific network configurations, such as mapped network drives and printers. Environment Variables: User-specific environment variables that affect the behavior of applications launched by that user. Security Settings: User-specific security settings and permissions. Start Menu and Taskbar Configuration: Settings related to the Start menu and the taskbar. Run History: Information about previously run commands and applications. Default Printer: The default printer selected by the user. HKEY_LOCAL_MACHINE: System Information: Hardware and system-related information, such as details about the installed processors, memory, and devices. Software Configuration: System-wide configuration settings for installed software applications. This is where applications often store settings that are common to all users on the machine. Device Drivers: Configuration settings and information about installed device drivers. Security Settings: System-wide security settings, including policies, authentication, and authorization settings. Windows Components: Configuration settings for various Windows components, such as the Windows Update service, Windows Firewall, and more. File Associations: Default file associations and settings that apply to all users on the machine. Services: Configuration information for installed services on the system. Networking Configuration: Settings related to networking, including TCP/IP configuration and network protocols. Performance Data: Performance-related information, including counters and settings. Setup Information: Information related to the Windows setup process and installed components. Uninstall Information: Information about installed programs and their uninstallation procedures. Power Settings: System-wide power management settings. HKEY_USERS: User Profiles: Each subkey under HKEY_USERS represents a user profile on the system. These subkeys are named using the Security Identifier (SID) of each user. User-specific Settings: Preferences and settings for individual user profiles, similar to those found under HKEY_CURRENT_USER. These settings are specific to each user. Environment Variables: User-specific environment variables that affect the behavior of applications launched by that user. Explorer Settings: User-specific settings related to Windows Explorer, including folder view options, recent documents, and other file management preferences. Control Panel Settings: Some user-specific settings related to the Control Panel and its components. Network Configuration: User-specific network configurations, such as mapped network drives and printers. Software Configuration: Configuration settings for software applications that are installed on a per-user basis. Security Settings: User-specific security settings and permissions. Run History: Information about previously run commands and applications for each user. Printers: User-specific printer settings. HKEY_CURRENT_CONFIG: The HKEY_CURRENT_CONFIG is a symbolic link to the current hardware profile under HKEY_LOCAL_MACHINE File Associations: Information about which applications are associated with specific file types. For example, it may specify that .txt files are associated with Notepad. COM Objects: Information about Component Object Model (COM) objects and their associated ProgIDs (Programmatic Identifiers). COM objects are used for software components and inter-process communication. Shell Commands: Information about context menu entries and shell commands associated with specific file types or classes. File Type Icons: Information about the icons associated with different file types. Class Identifiers (CLSID): GUIDs that represent specific classes or objects in the system. Extensions: Information about file extensions and their associated file types. MIME Types: Information about Multipurpose Internet Mail Extensions (MIME) types used for identifying file types on the internet. |