When investigating external media connected to a system, determining what files and folders were accessed on the media is critical. This can be achieved by linking LNK files and Jump List shell items to device details using the Volume Serial Number (VSN).
------------------------------------------------------------------------------------------------------------
What Is a Volume Serial Number (VSN)?
Found in the Volume Boot Record (VBR) of FAT, exFAT, and NTFS file systems.
Captured in LNK files and Jump List entries for every file or folder accessed on the device.
Matching the VSN between a removable device and a shell item confirms the source of the accessed files or folders.
How to Retrieve a Device’s VSN
VSN can be retrieved through Windows artifacts, such as:
1. Microsoft-Windows-Partition/Diagnostic.evtx
What it records:
The Master Boot Record (MBR) and Volume Boot Records (VBR) for up to three partitions.
Detailed data like disk signature, partition structure, and Volume Serial Numbers.
How to extract VSN from raw data:
Hex offsets:
FAT: Offset 0x43
exFAT: Offset 0x64
NTFS: Offset 0x48
Important: Convert the Little Endian byte order to the correct format.
Tools to simplify this process:
Partition-4DiagnosticParser: Maps raw hex data to human-readable output.
USB Detective: Extracts VSN and other device details automatically.
------------------------------------------------------------------------------------------------------------
2. EMDMgmt Registry Key
Location:
SOFTWARE\Microsoft\Windows NT\CurrentVersion\EMDMgmt
Details captured:
Manufacturer, iSerialNumber, Volume Name, and Volume Serial Number (in decimal form).
Note:
Convert the decimal VSN to hex to match shell item records.
This key may not be available on systems with SSDs, as it was originally tied to the now-defunct ReadyBoost feature.
-----------------------------------------------------------------------------------------------------------------------------
Key Insights About VSNs
VSN Changes:
A device’s VSN changes every time the partition is reformatted.
If the same iSerialNumber appears with different VSNs, it indicates the device was reformatted.
Use timestamps from the Partition/Diagnostic log or EMDMgmt key to estimate when formatting occurred.
Non-Windows File Systems:
VSN data is not recorded for Mac, Linux, or GPT partitions.
-----------------------------------------------------------------------------------------------------------------------------
Tools for USB Device Analysis
1. USB Detective
What it offers:
Automates the USB forensics process, pulling data from various sources:
Registry keys (e.g., DeviceMigration, EMDMgmt).
Event Logs (e.g., Microsoft-Windows-Partition/Diagnostic.evtx).
Shell items (e.g., LNK files, Jump Lists, ShellBags).
Volume Shadow Copies for historical analysis.
Strengths:
Provides an intuitive interface and links data to original sources for easy validation.
Consolidates and simplifies device activity audits.
First screenshot:
2nd Screenshot:
3rd After Processing Output:
2. parseUSBs.py (https://github.com/khyrenz/parseusbs)
An open-source Python script by Kathryn Hedley.
Parses registry hives and outputs findings in CSV format.
Strengths:
Simple and efficient for written reports.
Useful for quick analyses.
Limitations:
Less comprehensive than USB Detective.
Thank you for taking the time to dive into this deep exploration of USB device forensics and the critical tools and techniques that can simplify the process. By mastering these methods, you'll be equipped to uncover valuable insights during investigations efficiently.
See you in the next article, where we'll explore more cutting-edge forensic strategies and tools. Until then, happy investigating! 🚀
--------------------------------------------Dean--------------------------------------------
Commenti