Deep Dive – USB Analysis Process for Windows 7

Posted on by RealCyberCrime

USB analysis is a common practice when doing administrative, cybersecurity, or criminal investigations against machines. Since Windows 7 is probably the most common OS currently for enterprise environments, I’ve focused on it below.

More than anything I’ve just created this for my own reference 🙂

The Tools:

  • AccessData’s FTK Imager is a great tool for extracting registry hive files.
  • Harlen Carvey’s (author of Windows Registry Forensics) RegRipper tool is an awesome at parsing registry hives into text files for easier analysis.
  • Digital Detective’s DCode is a great utility to calculate date/time values from the various timestamps that may be found inside data files.
  • Windows Regedit is a built-in utility that enables you to view, search for, and change settings in your system registry.

The Process:

  1. Write down vendor, product, version, and serial number
  2. Write down Vendor-ID (VID) and Product-PID
  3. Write down Volume GUIDs
  4. Write down Drive Device Letter
  5. Write down Volume Name
  6. Find user that used that specific USB device
  7. Discover First Time Device Connected
  8. Determine First time Device Connected After Last Reboot
  9. Determine Last Time Device Connected
  10. Determine Time Drive Remove

Here you go:

1.  Write down vendor, product, version, and serial number (SYSTEM HIVE -> USBSTOR)

  • SYSTEM\CurrentControlSet\Enum\USBSTOR
    • Will give you the vendor, product, version, and serial number
    •  if “&” is the 2nd character of the serial number, then it’s not unique. Probably a cheap USB (think
      “Made in China”) that doesn’t adhere to windows standards.
  • Next Step: The serial number will referenced in the SYSTEM\CurrentControlSet\Enum\USB registry key

2.Write down Vendor-ID (VID) and Product-PID

  • SYSTEM\CurrentControlSet\Enum\USB
    • Will give you the Vendor ID (VID),  Parent ID (PID), and last time connected.
    • VID_XXXX
    • PID_YYYY
  • Next Step: The serial number will be referenced in the SOFTWARE\Microsoft\Windows Portable Devices\Devices registry key.

3. Write down Volume GUIDs

  • SYSTEM\MountedDevices
    • Will give you the volume GUID next to “\Volume{“
  • Next Step: Stay on “MountedDevices” key or pull NTUSER.DAT for recent docs

4. Write down Drive Device Letter

  • Multiple locations/methods, but difficult to explain concisely. See Windows Internals book for details.
    • SYSTEM\MountedDevices (RegRipper didn’t work for me on this, RegEdit makes more sense)
    • NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs
    • Perform search for Volume Name via Shortcut file analysis (LNK)
  • Next Step: The serial number will be referenced as we move to the SOFTWARE hive

5. Write down Volume Name

  • SOFTWARE\Microsoft\Windows Portable Devices\Devices
    • Will give you the volume name of the USB device when it was plugged in the machine
  • Next Step:  Stay in the SOFTWARE HIVE and go up to the EMDMgmt key

6. Write down Volume Serial Number

  • SOFTWARE\Microsoft\Windows NT\CurrentVersion\EMDMgmt
    • Will give you the hex value for the Volume Serial Number (VSN)
    • This hex value can be converted to a decimal number and then searched for within your logs
  • A disk format changes the volume’s serial number

6. Write down user that used the USB device

  • Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2
  • Visit each user’s NTUSER.DAT looking for the GUID
  • Next Step: Time Analysis

7. Determine First Time Device connected

  • SYSTEM\CurrentControlSet\Enum\USBStor
    • Will give as “InstallDate” in Windows 64 Bit Hex Value Timestamp (Use “DCodeDate” tool)
  • Plug and Play Log Files
    • XP
      • c:\Windows\setupapi.log
    • Win7 and Win8
      • c:\Windows\inf\setupapi.dev.log
  • Log File Times are set to local time zone (unlike most things in UTC)
  • Mandiant Highlighter tool helps
    • Search for device serial number and look for first entry
  • Next Step: Determine “Last Write” via Serial Number

8. Determine Last Time Device connected

  • SYSTEM\CurrentControlSet\Enum\USB
    • Will give as “LastWrite” with serial number
  • Also: NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2/{GUID}
    • Will give as Time (Timezone)
  • Last Step: Determine time device was removed.

9. Determine Time Device Removed

  • SYSTEM\CurrentControlSet\Enum\USBStor
    • Will give as Windows 64 Bit Hex Value Timestamp (Use “DCodeDate” tool)

Whew! That’s several steps, but hopefully this guide helps you.

Reminders/Tips: 

  • Red text is a reminder to pull the current control set like “ControlSet001”, which is available at SYSTEM\Select\Current
  • There are 3 primary USB device classes
    • MSC/UMS (USB Mass Storage) which is the most common and used in thumb drives, mp3 players, smartphones, etc
    • PTP (Picture Transfer Protocol) which is used for cameras, scanners, printers, smartphones, and tablets
    • MTP (Media Transfer Protocol) which is an improvement over PTP and is used on MP3 players, cameras, smartphones, and tablets.

Leave a Reply

Your email address will not be published. Required fields are marked *