Scribd Logo
Upload

Welcome to Scribd!

  • USB Device Tracking Artifacts On Windows 7

    Uploaded by

    Shafeeque Olassery Kunnikkal
    128 views4 pages
    This document outlines USB device artifacts found on Windows 7 systems, including the registry keys and paths where related information can be found. It describes artifacts like the vendor/product name, version, serial number, volume label, drive letter, volume GUID, user name, first connection time, first connection time after booting, and last connection time. It also provides information on correlating device connections to specific user profiles by examining the NTUSER.DAT hive and MountPoints2 key within individual user profiles.

    Original Description:

    USB Device Tracking Artifacts on Windows

    Original Title

    USB Device Tracking Artifacts on Windows 7

    Copyright

    © © All Rights Reserved

    Available Formats

    DOC, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    This document outlines USB device artifacts found on Windows 7 systems, including the registry keys and paths where related information can be found. It describes artifacts like the vendor/product name, version, serial number, volume label, drive letter, volume GUID, user name, first connection time, first connection time after booting, and last connection time. It also provides information on correlating device connections to specific user profiles by examining the NTUSER.DAT hive and MountPoints2 key within individual user profiles.

    Copyright:

    © All Rights Reserved
    Download as DOC, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    128 views4 pages

    USB Device Tracking Artifacts On Windows 7

    Uploaded by

    Shafeeque Olassery Kunnikkal
    This document outlines USB device artifacts found on Windows 7 systems, including the registry keys and paths where related information can be found. It describes artifacts like the vendor/product name, version, serial number, volume label, drive letter, volume GUID, user name, first connection time, first connection time after booting, and last connection time. It also provides information on correlating device connections to specific user profiles by examining the NTUSER.DAT hive and MountPoints2 key within individual user profiles.

    Copyright:

    © All Rights Reserved
    Download as DOC, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 4

    USB Device Tracking Artifacts on Windows 7,

    Artifacts

    Path

    Vendor & Product


    Name, Version

    HKLM\SYSTEM\ControlSet00#\Enum\USBSTOR\Disk&Ven_{
    Vendor Name}&Prod_{Product Name}&Rev_{Version}

    Vendor ID, Product HKLM\SYSTEM\ControlSet00#\Enum\USB\VID_{Vendor


    ID
    ID}&PID_{Product ID}
    check the sub key 'Device Parameters' to match with
    above USBSTOR key for the specific Product.
    Serial Number

    HKLM\SYSTEM\ControlSet00#\Enum\USB\{Vendor ID & Product


    ID}\{Serial Number}
    HKLM\SYSTEM\ControlSet00#\Enum\USBSTOR\{Device Class ID}\
    {Serial Number}&#

    Volume Serial
    Number

    HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\EMDMgmt\
    _??_USBSTOR#{Device Class ID}#{Unique Instance ID}#{GUID}
    {Volume Label}_{Volume Serial Number}

    Volume Label

    HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\EMDMgmt\
    _??_USBSTOR#{Device Class ID}#{Unique Instance ID}#{GUID}
    {Volume Label}_{Volume Serial Number}
    HKLM\SOFTWARE\Microsoft\Windows Portable Devices\Devices\
    {Device Entry}\FriendlyName (value)
    HKLM\System\ControlSet00#\Enum\WpdBusEnumRoot\UMB\{Device
    Entry}\FriendlyName (value)

    Drive Letter

    HKLM\System\MountedDevices (search for serial number)


    HKLM\SOFTWARE\Microsoft\Windows Portable Devices\Devices\
    {Device Entry}\FriendlyName (value)
    HKLM\System\ControlSet00#\Enum\WpdBusEnumRoot\UMB\{Device
    Entry}\FriendlyName (value)

    Volume GUID

    HKLM\SYSTEM\MountedDevices\\??\Volume{Volume GUID} (search


    for serial number)

    User Name

    HKU\
    {USER}\Software\Microsoft\Windows\CurrentVersion\Explorer\M
    ountPoints2\{Volume GUID}
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion
    \Explorer\MountPoints2

    With the drives GUID in hand examination will now focus on


    the individual user profiles on the machine. Inside each
    users profile folder (C:\Users) there will be an NTUSER.DAT
    file. This file is what gets accessed as HKEY_CURRENT_USER
    whenever its owner logs into the system. As a result, this
    file can be opened with the system registry editor with
    administrative permissions. In order to tie a user to a
    particular device you will need to browse to the following
    directory within the NTUSER.DAT hive:
    Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoi
    nts2. Here you can search for the GUID of the device in
    question. If it is found, then that user was logged in when
    that device was inserted into the system. Keep in mind that
    this search must be performed for every user on the system
    when attempting this type of correlation.

    First Connection
    Time
    (Last Written Time in
    registry key)

    %SystemRoot%\inf\Setupapi.dev.log search for Serial


    Number
    HKLM\SYSTEM\ControlSet00#\Control\DeviceClasses\{10497B1BBA51-44E5-8318-A65C837B6661}\{Sub Keys}
    HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\EMDMgmt\
    {Device Entry}
    HKLM\SOFTWARE\Microsoft\Windows Portable Devices\Devices\
    {Device Entry}

    First Connection
    Time
    After Booting
    (Last Written Time in
    registry key)

    HKLM\SYSTEM\ControlSet00#\Control\DeviceClasses\{53F56307B6BF-11D0-94F2-00A0C91EFB8B}\{Sub Keys}
    HKLM\SYSTEM\ControlSet00#\Control\DeviceClasses\{53F5630DB6BF-11D0-94F2-00A0C91EFB8B}\{Sub Keys}
    HKLM\SYSTEM\ControlSet00#\Control\DeviceClasses\{6AC27878A6FA-4155-BA85-F98F491D4F33}\{Sub Keys}
    HKLM\SYSTEM\ControlSet00#\Control\DeviceClasses\{A5DCBF106530-11D2-901F-00C04FB951ED}\{Sub Keys}
    HKLM\SYSTEM\ControlSet00#\Enum\WpdBusEnumRoot\UMB\{Device
    Entry}

    Last Connection
    Time
    (Last Written Time in
    registry key)

    HKLM\SYSTEM\ControlSet00#\Enum\WpdBusEnumRoot\UMB\{Device
    Entry}\Device Parameters
    HKU\
    {USER}\Software\Microsoft\Windows\CurrentVersion\Explorer\M
    ountPoints2\{Volume GUID}
    To determine the most recent time a drive was connected to
    a system. In order to access this information we will once
    again look into the registry at
    HKLM/System/CurrentControlSet\Enum\USB\VID_12345&PID_12345,
    substituting 12345 for the USB devices Vendor and Product
    ID (obtained earlier in this article). Here, you can export
    the registry key as a text file to view the last write time
    of the key. This is done by clicking File, and then Export

    from within regedit while the key is selected.

    Tools:
    https://tzworks.net/prototype_page.php?proto_id=13 commercial software
    USBDevview - nirsoft

    You might also like