Scribd Logo
Upload

Welcome to Scribd!

  • Profile Windows XP USB Keys/Thumbdrives

    Uploaded by

    Speedoorlock
    27 views4 pages
    USB Fields records for Windows XP

    Original Title

    Usbkey Guide

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    USB Fields records for Windows XP

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    27 views4 pages

    Profile Windows XP USB Keys/Thumbdrives

    Uploaded by

    Speedoorlock
    USB Fields records for Windows XP

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 4

    ProfileWindowsXPUSBKeys/Thumbdrives

    XPUSB KEY/Thumbdrive
    1.WriteDownVendor,Product,Version
    SYSTEM\CurrentControlSet\Enum\USBSTOR
    Vendor=
    Product=
    Version=
    2.WriteDownSerialNumbers
    SYSTEM\CurrentControlSet\Enum\USBSTOR
    SerialNumber=
    3.DetermineParentPrefixID
    SYSTEM\CurrentControlSet\Enum\USBSTOR
    ParentPrefixID=
    4.DetermineVendorID(VID)andProduct(PID)
    VID_XXXX =
    SYSTEM\CurrentControlSet\Enum\USB ->
    PID_YYYY
    =
    PerformsearchforS/N
    5.DetermineDriveLetterDeviceMappedTo
    SYSTEM\MountedDevices-> Performsearchfor
    Drive=
    ParentPrefixIDintheDriveLetter
    6.WriteDownVolumeGUIDs
    SYSTEM\MountedDevices-> PerformSearchfor {GUID}=
    ParentPrefixIDintheGUIDs
    7.FindUserThatUsedTheSpecificUSBDevice
    NTUSER.DAT\Software\Microsoft\Windows\ User=
    CurrentVersion\Explorer\MountPoints2->
    SearchforDeviceGUID
    8.DiscoverFirstTimeDeviceConnected
    C:\Windows\setupapi.log >Performsearch
    Time/Timezone=
    forSerialNumber

    9.DetermineFirstTimeDeviceConnectedAfterLastReboot
    SYSTEM\CurrentControlSet\Control\Devic Time/Timezone=
    eClasses\{53f56307-b6bf-11d0-94f200a0c91efb8b}-> PerformsearchforS/N
    or
    SYSTEM\CurrentControlSet\Enum\USB\
    VID_XXXX&PID_YYYY -> PerformsearchforSerial
    Number(LastWrittenTimeofSerialNumberKey)
    10.DetermineLastTimeDeviceConnected
    NTUSER//Software/Microsoft/Windows/Cur Time/Timezone=
    rentVersion/Explorer/MountPoints2/{GUI
    D} -> PerformsearchforDevice{GUID}

    http://forensics.sans.org
    http://twitter.com/sansforensics

    ProfileVISTAUSBKey/Thumbdrives

    VISTAUSBKEY/Thumbdrive
    1.WriteDownVendor,Product,Version
    SYSTEM\CurrentControlSet\Enum\USBSTOR
    Vendor=
    Product=
    Version=
    2.WriteDownSerialNumbers
    SYSTEM\CurrentControlSet\Enum\USBSTOR
    SerialNumber=
    3.DetermineVendorID(VID)andProduct(PID)
    VID_XXXX =
    SYSTEM\CurrentControlSet\Enum\USB ->
    PID_YYYY
    =
    PerformsearchforS/N
    4.WriteDownVolumeGUIDs
    SYSTEM\MountedDevices-> PerformSearchfor
    GUID=
    SerialNumber
    5.DetermineDriveLetterandVolumeNameDeviceMappedTo
    SOFTWARE\Microsoft\Windows Portable
    DriveLetter=
    Devices\Devices-> PerformSearchforSerial
    VolumeName=
    NumberandMatchwithVolumeName
    6.FindUserThatUsedTheSpecificUSBDevice
    NTUSER.DAT\Software\Microsoft\Windows\C User=
    urrentVersion\Explorer\MountPoints2->
    SearchforDeviceGUID
    7.DiscoverFirstTimeDeviceConnected
    C:\Windows\inf\setupapi.dev.log >Perform Time/Timezone=
    searchforSerialNumber
    8.DetermineFirstTimeDeviceConnectedAfterLastReboot
    SYSTEM\CurrentControlSet\Enum\USBSTOR\
    Time/Timezone=
    Vendor_Product_Version -> Performsearchfor
    SerialNumber(LastWrittenTimeofSerialNumberKey)
    or
    SYSTEM\CurrentControlSet\Control\Device
    Classes\{53f56307-b6bf-11d0-94f200a0c91efb8b}-> PerformsearchforS/N(Last
    WrittenTimeofKeythathasSerialNumberand
    Vendor/Product/Revision)
    9.DetermineLastTimeDeviceConnected
    SYSTEM\CurrentControlSet\Enum\USB\
    Time/Timezone=
    VID_XXXX&PID_YYYY -> PerformsearchforSerial
    Number(LastWrittenTimeofSerialNumberKey)
    or
    NTUSER//Software/Microsoft/Windows/Curr
    entVersion/Explorer/MountPoints2/{GUID}
    -> PerformsearchforDevice{GUID}
    http://forensics.sans.org
    http://twitter.com/sansforensics

    ProfileWindows7USBKeys/Thumbdrives

    Win7USBKey/Thumbdrive
    1.WriteDownVendor,Product,Version
    SYSTEM\CurrentControlSet\Enum\USBSTOR
    Vendor=
    Product=
    Version=
    2.WriteDownSerialNumbers
    SYSTEM\CurrentControlSet\Enum\USBSTOR
    SerialNumber=
    3.DetermineVendorID(VID)andProduct(PID)
    SYSTEM\CurrentControlSet\Enum\USB ->
    VID_XXXX =
    PID_YYYY =
    PerformsearchforS/N
    4.DetermineDriveLetterDeviceMappedTo
    SYSTEM\MountedDevices-> Performsearchfor
    Drive=
    SerialNumberintheDriveLetters
    5.WriteDownVolumeGUIDs
    SYSTEM\MountedDevices-> PerformSearchfor
    GUID=
    SerialNumberintheGUIDs
    6.FindUserThatUsedTheSpecificUSBDevice
    NTUSER.DAT\Software\Microsoft\Windows\C User=
    urrentVersion\Explorer\MountPoints2->
    SearchforDeviceGUID
    7.DiscoverFirstTimeDeviceConnected
    C:\Windows\inf\setupapi.dev.log >Perform Time/Timezone=
    searchforSerialNumber
    8.DetermineFirstTimeDeviceConnectedAfterLastReboot
    SYSTEM\CurrentControlSet\Enum\USBSTOR\
    Time/Timezone=
    Vendor_Product_Version -> Performsearchfor
    SerialNumber(LastWrittenTimeofSerialNumberKey)
    or
    SYSTEM\CurrentControlSet\Control\Device
    Classes\{53f56307-b6bf-11d0-94f200a0c91efb8b}-> PerformsearchforS/N(Last
    WrittenTimeofKeythathasSerialNumberand
    Vendor/Product/Revision)
    9.DetermineLastTimeDeviceConnected
    SYSTEM\CurrentControlSet\Enum\USB\
    Time/Timezone=
    VID_XXXX&PID_YYYY -> PerformsearchforSerial
    Number(LastWrittenTimeofSerialNumberKey)
    or
    NTUSER//Software/Microsoft/Windows/Curr
    entVersion/Explorer/MountPoints2/{GUID}
    -> PerformsearchforDevice{GUID}
    http://forensics.sans.org
    http://twitter.com/sansforensics

    http://forensics.sans.org
    http://twitter.com/sansforensics

    You might also like