USB Forensics

In this article we will learn on how to do the forensic of USB devices, how to correlate the USB device with the drive letter and how to see at what time the USB device was plugged in and plugged out. This article may be very useful for the military forces as they can easily note the time when the particular USB device was plugged in.

Whenever a forensic investigator does the forensic of a USB device, he should look into two important keys of the registry. These are:

1) HKLM/System/Mounted Devices

2) HKLM/System/CurrentControlSet/Enum/USBSTOR.

First key will show all the mounted & removable devices and will be in the form of “DosDevices”. Figure given below will clear the picture.

Each DWORD value (here /DosDevices/) will have a data which is in hex form. For reading the contents of these DWORD, the forensic investigator has to access these values. When the DWORD is accessed and the contents are of the form “??STORAGE#Removable Media#”, then this means that the device which was associated with this drive letter was a removable/USB device. Let us understand this point deeper with the help of the figure. Figure given below shows that I have accessed the “/DosDevice/I:” DWORD and it’s a removable/USB device.

Couple of points to notice in this figure: –

1) DWORD accessed is “DosDevicesI:”

2) Contents of this DWORD value is starting from “??STORAGE#RemovableMedia#”. So we can conclude that this drive letter was assigned to removable/USB device.

3) Parent ID prefix in this case is 7&25bb518e&0. This value is very important and we will use this value to get more knowledge about the USB device which was connected on the suspect machine.

Our work related to “HKLM/System/MountedDevices” is over. Now let us move to the other key and get more information out of it. The other key is

HKLM/System/CurrentControlSet/enum/USBSTOR

When USBSTOR key is expanded, there will be sub keys under it. The key will be in the form of Disk&Ven&Prod
&Rev. An example is shown with the help of figure.

Under these keys will be the sub key which will be with the name of the serial number which the device has. If the device has no serial number, then plug and play manager will assign the serial number to the device. We will now expand the subkey and will find out where the Parent ID prefix is? I expanded the subkey and I found the Parent ID prefix. A screenshot has been given below

We can make sure that this device was connected to the machine and the drive letter which was assigned to this device was I:.

If we want to find out more information about the device connected and the last plug/unplug time then we can use professional tool like “USBDeview” which can be found here. A screenshot has been given below

Hope this article will help lot of forensic investigators in investigating cases. Enjoy experimenting.

Author


4 comments

Hi Niiconsulting,

Nice Artikel but unfortunately Figure 4 and Figure 5 are not acessible.

BG
Stefan

I appears the USBDeview link is missing. The URL for those interested is:
http://www.nirsoft.net/utils/usb_devices_view.html

On old w2k systems there was a couple of very helpful events 134 and 135 on system event log which can let us know whenever a USB removable device was plugged/unplugged (date & time). Is there something similar on XP and Vista.

Nice article but i found “HKLM/System/CurrentControlSet/enum/USBSTOR” data different in vista OS.

Leave a Reply

Your email address will not be published. Required fields are marked *

For security, use of Google's reCAPTCHA service is required which is subject to the Google Privacy Policy and Terms of Use.

I agree to these terms.