USB- Registry Forensics

Viewing connected devices

Why?

Connected devices may also contain evidence. If a criminal doesn’t want their incriminating evidence on the
machine, they may instead, stored it on a USB.

What do I need?

A copy of the following registry hives belonging to same system- SYSTEM, SOFTWARE, NTUSER.DAT

A registry viewing application- Registry viewer/explorer will do.

A USB device!

Examples

A criminal has been found to have photos of drugs on their system. EXIF Data says that a Nikon Camera took
these. It would be important to see if a Nikon had been connected at some point as this points towards the
criminal owning the image. Otherwise, an investigator would be suspicious of where the image came from,
is this a drug ring?

An employee has recently transferred from one company to another, with short notice. After they leave,
the original company has sensitive documents leaked. The employee had access to these. Viewing connected
devices may show that the employee had plugged in a USB around the time that they left. This would provide
evidence to them as leaking.

Where?

To find some basic information about USB’s we navigate to:

SYSTEM\ControlSet001\Enum\USBSTOR\

So, I know that the device is a San Disk USB 3.0

Highlighted is the serial number

The & sign suggests it is globally unique (why would this be important…)

Searching for the volume ID (VID) in the USB key

SYSTEM\ControlSet001\Enum\USB\VID_0781&PID_5591

We see:

Note that the serial id matches

The Name?

SOFTWARE\Microsoft\Windows Portable Devices\Devices

\SWD#WPDBUSENUM#_??_USBSTOR#DISK&VEN_SANDISK&PROD_ULTRA_USB_3.0&REV_1.00#
4C530001290206109482&0#{53F56307-B6BF-11D0-94F2-00A0C91EFB8B}

Note- that is mine because the serial number- 4C530001290206109482 appears

18/09/2018 18:09:00 UTC

It contains the name of the device- in my case, un named

A criminal case… it could literally be called SUSPECT’s USB

What about a Globally Unique ID (GUID)

Navigate to SYSTEM\MountedDevices

Then search until you can see the serial id

So we now know the GUID of the USB is that which is highlighted

Now, if we to the following: NTUSER.DAT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Mountpoints2

Note; How to get NTUSER.DAT

It is normally hidden, however by loading a physical image of your machine into FTKIMGUR, it can be viewed.

Alternatively, with a hard drive that’s been acquired, navigate to the windows\users\*user of choice*\ and then locate the NTUSER.DAT File.

NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\
{7855dcbb-bb60-11e8-bb4d-005056c00008} for mine showed:

So the las person to have this, was me (George) as it was in my NTUSER.DAT; we can also see the last written
time of the device

Note; the highlighted is the volume, that’s how we found the device in the NTUSER.DAT path

What else can we find?

Navigate to:

SYSTEM\ControlSet001\Enum\USBSTOR\Disk&Ven_SanDisk&Prod_Ultra_USB_3.0&Rev_1.00
\4C530001290206109482&0\Properties\{83da6326-97a6-4088-9453-a1923f573b29}

Note, the serial number of the device was selected, and under this, properties and then
83da6326-97a6-4088-9453-a1923f573b29. You should also have 83da6326-97a6-4088-9453-a1923f573b29.

This contains information about the first install, last connection and last removal.

You will have these options:

64- the first install

For mine: 18/09/2018 18:08:59 UTC

66- last connection

19/09/2018 11:24:45 UTC

67- last removal

19/09/2018 11:02:35 UTC

SO, what information did we gain?

Device	San Disk ULTRA USB 3.0
Serial Number	4C530001290206109482
VID	0781
PID	5591
Name of Device	None- D:\
First Write Time	18/09/2018 18:08:59
GUID	7855dcbb-bb60-11e8-bb4d-005056c00008
Last User	George
First Connection	18/09/2018 18:08:59
Last Connection	19/09/2018 11:24:45 UTC
Last Removal	19/09/2018 11:02:35 UTC

USB confirmed by VID and PID lookup:

0x0781

0x5591

SanDisk Corp.

Ultra USB 3.0

Reason for removal time? USB still plugged in.