Hello and welcome back to Windows Registry Forensics course six. The system file, section two, USB device forensics. In this section, we are primarily going to be in the system high file. But we are going to look at some of the other hives and correlate some of the information we find in the system file regarding our USB devices. We're going to look at USB devices and mounted volumes. USB devices, USB connected devices can be mounted as volumes in the file system. We're going to look at the subkey USB store and that would be under our current control set, Enum and then USB store. And we're also going to look at the mounted devices subkey which is located at the root, and then mounted devices. We're going to look at the installation connection and disconnection times when we look at our USB store key. We're also going to look at a subkey name properties to find this information and properties. You're going to see several guids under properties. And we're looking for the guid that's going to start with that highlighted 83DA63. This is what the layout of USB store is going to look like, the subkey USB store is going to have several subkeys underneath it. What we're looking at here is these highlighted items are actually the serial numbers of our devices that were connected. And these are three devices here. And we're looking at the Ivan image and we can see these serial numbers. We can also see the sub key device parameters and properties which we're going to talk about shortly. Under USB store, when we expand that subkey with that guid we saw a couple slides ago, we're going to see some dates and times. And this is great in Windows 10, we get a first installed date which is the date that device was first connected to the machine and it was installed. We're going to get the last install date which was the last install time which may mean the drivers were updated or reinstalled. We're going to get a last arrival date and time, it's the last time the device was plugged into the system. And we're going to get the last removal date and time, which is the last time that the device was removed from the system. So, it's really great that we have these four subkeys. As you can see they are under that guid subkey that we saw a couple of slides ago, that 83DA63 it starts with. And the 064 is our first install, 0065 is going to be our last install, 0066 is our last arrival date and 0067 is going to be the last removal time. This is very important to remember and it is really some great information. And again we're talking about that the device was first connected. First installed. Last time the drivers were updated or reinstalled. The last time that device was connected to the system and the last removal date and time. We looked at our USB store key, we saw the subkeys parameter. Parameter has another sub key under it called Part manager or Partmgr. And what this is going to contain is it's going to give us a disk ID. We're also going to look at another value that's in that Part manager subkey called PartitionTableCache. And this will give us a partition guid or are volume guid of the device that was plugged in if it is being viewed as a fixed disk. So, here you can see underneath USB store, we expand that. We expand the serial number of our device, we expand device parameters. And here we have the Park Manager. And there under the value we have disk ID and we have a guid in the data section. That disk ID can be searched throughout the registry and we'll come back to other places in the registry. So we can correlate the information that we're finding under this key with other keys located throughout the registry. And we're going to take a look at that when we get to the practical part. Part Manager also has this thing called PartitionTableCache. Now what PartitionTableCaches? If you're looking at this, we can see EFI system partition. Which tells us that we're probably looking at a GPT partition disk with partition table style disk formatting. That highlighted bit of 16 bytes of data right there is going to be the disk guid. And that's not the type guid, that's the actual disk guid. That's a unique number, unique to that particular disk. On disk this is what it's going to look like as we just saw in the previous slide. Now the guid is going to be translated a little differently. When you translate guids, part of your guid is going to be read big endian, part of your guid is going to be read little endian. And you have to understand the breakdown of a guid. A guid is broken down by four bytes, four bytes, two bytes, two bytes, 6 bytes. Of this last section is going to be read big endian then we have our sections read little endian. And we've talked about what endian is, it's the directions we read either right to left or left to right. Here's a look at the view on disk. I have the device that was connected and I went and looked at the device. And looked at its guid partition table and we can see it's a basic data petition. It's GPT style formatting and we do indeed see the same hexadecimal representation there. And if you know GPT formatting, each entry is 128 bytes. The first line of that entry, the first 16 bytes is our guid type. So, it's going to tell us the type of partition, in this case we're looking at a data partition. The second 16 bytes down is going to give us that unique ID. That's going to be unique to that specific volume only. And it will be the same no matter which machine you plug it into, it's going to still give you the same guid partition. And here we see a readout of the partition table. And we see the unique guid partition, we see it in hex as it lays on disk and we can also see it translated to an actual guid. If you were to search this guid throughout the file system, you'd be able to find it in other places. And get more information regarding the USB device you were looking at. On disk, we looked at EMD management and we saw how that one of our devices. That max storage device was going back to the system file and section file that max storage device had a number next to it. And I told you that was the volume serial number in decimal. And I said that was going to be very important when we looked at artifacts outside of the registry, like link files. And here we can see this is register explorer and it's showing us what we saw when we looked at EMD management. And I did a translation of the disk itself, examination of the disk itself. And yes, it is indeed the volume, serial number of that disk. So, that's some very important information that you may not always get. MD management may have nothing in it and it's very disappointing or it may have a lot of information in it. With the more information we get in EMD management, the better we're going to be doing. Now let's talk about mounted devices. The mounted devices subkey is located right off of the route. And what it's talking about, all volumes, all kinds of volumes. Not just USB volumes, but any volume that's mounted to the system. And we're going to see that when we look at it. Is a look at mounted devices, you can see we do have a write last, write date and time And if you look over to the right, you can see several mounted volumes. Some of them are mounted as a drive letter. And these are showing us the currently mounted volumes when the system was shut down, we can also see that some of them are true crypt volumes. Not all of them are going to be USB devices connected to the system. This is showing us all the mounted volumes. We see a CD ROM device. You see a floppy drive, we do see what looks like USB devices. What I want to point out here is you see this P map and when we see a number next to it, that is a serial number. That is the serial number and we can correlate that serial number back to our USB store key. Say definitively that this USB device was mounted as a particular drive letter and we're going to take a look at that and we do our practical. MountPoints 2 is in the NTUser.DATfile. Now the reason we care is because if we can match the volumes like we saw in the previous slide to the volumes and MountPoints2, we can connect a USB device back to a specific user. Which can be very important in your investigation to be able to track the device, not just to the system, but to be able to track the device to a specific user specific user. In our walk through, we're going to examine the USB store key, there's a lot of information there. We're going to look at our mounted devices. We're going to take a look back at the devices sub key and software. We're going to take a look back at the EMD management key and software and how it relates to USB store and mounted devices. And we're going to take a look at mount points 2 in Ivan's and NTUser.DATfile. We're going to look at volume GUIDS in the registry, which we talked about and volume GUIDS on disk, which I also showed you. What we're going to need is we're going to need timeline Explorer, registry Explorer. We're going to need Ivan system file, Ivan software file and Ivan's NTUser.DATfile. We're going to load all those hives into register Explorer. You can load multiple hives into registry Explorer. So let's bring up registry Explorer and go ahead and load the hives in. Like we've done before you go to file load Hive, navigate out to where the Hive is saved on your machine and go ahead and load it in. Once you've loaded all the hives, we're going to first take a look at the system Hive and we're going to look at USB store so we can use our bookmarks common. And we're going to go to USB store what's there are USB store. We're going to go ahead and expand it. And once we expand that I want you to notice you have devices listed here. We have three USB devices. That is not a lot. Most of the time when you're going to do a real life investigation, you're probably going to see up to 10 12 15 USB devices listed in here. So we can see that we have our USB devices listed now if we expand them we can see the serial numbers. These are the serial numbers for each of the USB devices that were connected to the system. And these are legitimate serial numbers. I'll point something out later on. We look at mounted devices again if we further expand that we can see our device parameter sub key and if we look there we can see we have our disk ID and we have our partition table cash. Now this is a USB device. This is not a pocket drive. This is not a attachable hard drive. External hard drive. So when we look at our partition table cash, we're not seeing anything. And that's not unusual. But what we are seeing when we look at the serial number is we're getting a ton of information over here and I'm going to point out what is going to be very important to you. Your container ID is something that is going to be very important because you can search this even outside the registry and event logs and find USB connections. If certain settings are turned on, we can see this is the USB 2.0, it's generic. So we have a serial number. We do have a classes GUID and a driver GUID but those are not going to be unique numbers a container ID is a unique number. If we go ahead and expand properties and we look for that sub key that started with that particular grid. We expand it. We're going to see beneath here are file times. Remember this was our first install time. So that would be your first install time. This would be your last install time. This should be your last connected time And your last removal time. You can see there's not a big difference about an hour that that device was connected. We're going to look at our next key, our data traveler. I'm going to expand that and go ahead and look at device parameters. We can look here, depart manager and we can see the disk ID. And we can see our partition table cash. And again this is a USB device so we really don't have a partition table here. This is a thumb drive, not a removable hard drive. And if we look at the last one we can see our serial number. This is also a serial number. We can see our serial number, we're going to expand it. Go ahead and look at our device parameters. We can see our disk ID which we can correlate back to other places in the registry. And when we look at our petition table cash here, this is where we have partition table cash. This is a removable hard drive. And when we look at it we can see we have to partition table entries were going to locate our GUID inside our partition table cash. First thing we need to do is determine where the second petition starts. By looking here. We can see we have ff zero zero's, we have F F and zero zero's. So if we come here and we go over 16 bytes that right there is going to be our GUID partition type, our GUID partition type, not the unique number. Now if we start here and go over 16 bytes, this is our GUID right here. This is our unique partition grid. We can bring up our data interpreter and when it's interpreted as a GUID we can see that GUID and we're going to see that GUID again when we look in our mounted devices sub key and we look in our MountPoints 2 sub keep so we can see the GUID for that partition and that's how we will determine where it is. Looking at the hex. And we can see also here we do have a container ID which is also very important. And under properties we would have those dates and times last connected, less disconnected, last connected last installed, first installed. And these are very important when you're doing your examination. So we get quite a bit of information from USB store and as far as connection times and disconnection times USB stores the key you want to look at. Now let's go ahead and close up what we've got open here. And let's look at mouth of devices. We could see in mounted devices we have volumes and GUIDS. We can see we have drive letters. You can see we have drive letters. Make sure in the values tab here in the values tab we have drive letters. If I look at DOS device E. I can see right down here that it's a VM or probably a CD-ROM right here, the CD-ROM on my virtual machine. And remember what I said about serial numbers? Well, you can have a serial number or you can have a machine assigned number. A number that is assigned by the machine that is going to be consistent on that particular system but not across multiple systems. And how you tell the difference between a serial number and a machine ID is this little & sign. If the second character in that number is an & sign, that is not a serial number, that is a machine assigned number, a unique instance ID is what it's called. So that's what that is, that is a unique instance ID. Now, if we look at DosDeviceF, we could see the second number is a 7, not an &. This &0 is actually not part of the serial number, the serial n number actually ends at the 9, but you'll always see that &0. But that is an actual serial number and that will be consistent across multiple devices. If you plug that same USB device into another system, it's going to register the same serial number. So we can say that this particular device with this particular serial number was mounted as DosDeviceF. And that is how we resolve USB devices back to drive letters. Now if we look at DosDeviceG, we can see we have the same thing, we have a serial number. If we look at DosDeviceE 16 bytes data interpreter, that's going to be our GUID. And we saw that GUID back in USB store and we know that that is a removable hard drive or a USB pocket drive but it is an external hard drive of some type. And we know that at one point that external hard drive was mounted as DosDeviceE. Very important information and it's very important that we know how to get the information. Now if we look at these volumes, you're still going to be able to see serial numbers in here. But were able to resolve a USB device or even a removable hard drive to a drive letter by going through the mountains devices key. And if we look back at a software file, and we'll use our bookmarks devices and we look here at devices we can see the friendly name of the thumb drive. And in this case this is a thumb drive and if we expand this column out we can see the serial number right here 07 PMAP. That's a serial number. And we can resolve that serial number back to our USB store and get the container ID and get all our dates and times. This is a serial number, this is a serial number, this is not a serial number. If we go back to parameters and look at the disk ID, this is a disk ID and again, we're looking at the friendly name of MAC storage and we know from USB store that that was our removable hard drive. One other thing I want to point out, well, let's look at the MD management and then I'll point something else out. In EMD management we can see serial numbers. We could see a friendly name. We can see our serial number. You can see our friendly name, hack tools. Now these names were given by the user, this name here Kingston came with the thumb drive. But we have a serial number and we can go back and USB store and find all our connection times. We can find our container ID and again this was that MAC storage and we can make out the friendly name. And we said this is the volume serial number. Like I showed you in the slides how that resolved to the volume. That's a volume serial number. Now, going back from one moment to the system file and we're going to go to mounted devices again. And mounted devices you can see we have these volume GUIDs, these volume GUIDs are what we're going to look at to resolve our USB devices to the individual user and MountPoints2. We know we're looking at Ivan's and to user accounts. So we're looking at devices that belonged to Ivan or were used by the Ivan account. We can't say Ivan was behind the keyboard but we can say somebody logged in under that account, interacted with these particular thumb drives. And we're going to do that using these volume IDs. So let's go ahead. Close that up. I'm sorry. One more thing with mounted devices, we have an export button here. Go ahead and export that. We're going to export it, hit Export, you decide where you want to put it and hit OK. Once you've done that spring up Timeline Explorer and I already have it open but what you'd go and do is file > open. You'd navigate to where you saved that file and you'd open it up. Now what this gives us is it gives us our multi device volume, volume IDs. We have all the other information including those serial numbers and we have our drive letters. So we can use the drive letters and the serial numbers and go back to USB store and find out the times that these devices were connected and we know the drive letters that they were connected to when the machine was shut down. Now let's just make this a little smaller because we're going to need it and let's go ahead and close that up. Let's go to Ivan's and to use Iv and we're going to go to MountPoint2 when expand MountPoint2 and you see this volume GUIDs. Now we're going to bring Timeline Explorer back over and I'm going to take a look at what we can match up in Timeline Explorer. Now be careful because these are very similar, a lot of them are very similar, so you've got to look carefully at. What you're looking at what we see here we have the 70808bc7. We have the same volume GUID over here. Make sure you check the end of it too. It does match and we can see if we slide over that that was the Kingston data traveler and we can see the serial number, so we can connect that device back to the Ivan user account. There's others in here, a8a8, check the end 937, wide that over, we have another serial number that we can connect back to the Ivan user account. You also have the VM ware cd drive. We have a TrueCryptVolume, another TrueCryptVolume. So you can connect these devices not only to a drive letter through here but you can also connect them back to a specific user. Very useful information during your investigation. In our next section of this course, we're going to be looking at AP Compaq cash and BAM, background activities monitor.
