Linking USB Devices to User Accounts and using Microsoft-Windows-Partition/Diagnostic.evtx for Device Profiling"

Linking USB Devices to User Accounts

If the device you’re profiling is a mass storage class USBSTOR device, you can go a step further and try to tie the device to a specific user account. This is where the NTUSER.DAT registry hive comes into play.

-------------------------------------------------------------------------------------------------------

Why NTUSER.DAT Matters

Each user on a system has an NTUSER.DAT hive, which keeps track of their personal settings and activity. When a user logs in, their NTUSER.DAT hive is loaded into memory.

Inside this hive, there’s a key called:

NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2

This key logs details about:

• Mounted volumes (like USB devices)

• Network shares accessed by the user

If the Volume GUID you identified earlier from the SYSTEM\MountedDevices key appears in this MountPoints2 key, it means:

1. The user was logged in when the device was connected.

2. Or, it was the last account logged in before the device was introduced.

------------------------------------------------------------------------------------------------------- How to Check for User Activity

1. Load NTUSER.DAT hives:

   Load all NTUSER.DAT hives for suspected users into Registry Explorer.

2. Search for the Volume GUID:

   Use the Find tool in Registry Explorer and search for the GUID (e.g., 7560496c-3102-11e8-9eb7-9eb6d0dc1465).

3. Verify matches:

   If you find a sub-key matching the GUID, that user’s account interacted with or was active while the device was connected.

   • The last write timestamp of the sub-key can give you an idea of the last time the device was connected.

-------------------------------------------------------------------------------------------------------

Important Notes

• Be cautious! 

  If a user logs out or reboots the system while the device is still connected, Windows may incorrectly attribute the device to the last logged-in account. This issue is common in older versions of Windows. To confirm user activity, cross-reference with:

  
  

  • Logon/logoff events from Windows Event Logs.

  • Other artifacts like browser history or shell items.

    
    

• Multiple accounts: Don’t forget to check all NTUSER.DAT hives for matches if there are multiple users on the system.

• Non-USBSTOR devices: If you’re profiling a device that isn’t a USB storage device, this method won’t work. Instead, use connection timestamps and Event Logs to link device usage to user activity.

  
  

-------------------------------------------------------------------------------------------------------

Beyond USB Devices: Network Shares

The MountPoints2 key doesn’t just track USB devices; it also logs network shares accessed by the user. This can be helpful for:

• Tracking lateral movement in an investigation.

• Identifying systems accessed by an attacker or malicious insider.

Example:

• A share named Ubuntu-24.04 was accessed by the user on the system #wsl.localhost#

-------------------------------------------------------------------------------------------------------

Microsoft-Windows-Partition/Diagnostic.evtx for Device Profiling (Win10+)

Windows 10 introduced a valuable custom log, Microsoft-Windows-Partition/Diagnostic.evtx, which records detailed information about connected and disconnected devices. This log, particularly Event ID 1006, is a game-changer for investigating mass storage class (MSC) devices.

What Event ID 1006 Captures

Each Event ID 1006 entry logs detailed data when an MSC device is connected or disconnected, including:

• Device Details:

  • Manufacturer, Model, Vendor ID (VID), and Product ID (PID).

  • Disk capacity.

  • SCSI Serial Number (labeled as "SerialNumber").

  • iSerialNumber (found in the "ParentId" field).

• Partition Data:

  • Contents of the Master Boot Record (MBR).

  • Volume Boot Records (VBRs) for up to three partitions.

These logs provide historical records of device usage, including internal devices like SSD drives.

Connection vs. Disconnection Events

• Capacity Field:

  • Populated for connection events (records the device’s capacity).

  • Displays "0" for disconnection events.

For instance:

• If a device remains connected during sleep mode, a new connection event will be logged upon resumption, creating back-to-back connect events without a corresponding disconnect event in between.

Strengths and Limitations

• Advantages:

  • Tracks every device connection and disconnection with comprehensive data.

  • Provides timestamps for all events, helping to establish device activity timelines.

  • Far surpasses earlier removable device logging capabilities.

    
    

• Limitations:

  • The log may be cleared during major Windows updates, retaining only post-update data.

  • Initially displays the message "For internal use only" in the Event Viewer, but the XML Details view reveals all the detailed information.

Pro Tip: Start with This Log

If you're profiling devices on Windows 10 or later, begin your investigation with Microsoft-Windows-Partition/Diagnostic.evtx. It provides a wealth of data upfront, saving time and effort in the profiling process. While additional details like user accounts and drive letters may require further investigation, this log is an exceptional resource for building a foundational understanding of device activity.

-------------------------------------------------------Dean------------------------------------