USB devices play an essential role in digital forensics. While some devices, like Human Interface Devices (HIDs), may not seem particularly data-rich, they can still hold critical clues. Knowing how to analyze USB artifacts is crucial, especially when investigating potential malicious activity or suspicious system behavior.
------------------------------------------------------------------------------------------------------------
Human Interface Devices (HIDs)
HIDs, such as keyboards, mice, and game controllers, might not be the flashiest USB devices, but they can reveal important information. For instance, you might discover a new HID device installed during a time of suspicious activity. This is significant because malicious devices often disguise themselves as HIDs to bypass detection.
One common attack involves using a HID keyboard to send pre-programmed keystrokes that execute scripts, such as PowerShell commands. Devices like the Hak5 Rubber Ducky are built specifically for this purpose. Other tools, like hardware keyloggers (e.g., AirDrive) and the USB Ninja, can mimic HID input to compromise systems stealthily.
Fortunately, HIDs must associate with a USB device class, and this process leaves traces in the system registry. HID associations are stored under the registry
SYSTEM\<CurrentControlSet>\Enum\HID.Here, you’ll typically find Vendor ID (VID), Product ID (PID), and timestamps. These timestamps, located in sub-keys like 0064, 0066, and 0067, record:
First connected time
Last connected time
Last removal time
------------------------------------------------------------------------------------------------------------
Media Transfer Protocol (MTP) and Picture Transfer Protocol (PTP)
Devices like smartphones, cameras, and music players often use MTP or PTP. These protocols differ from traditional mass storage devices and leave fewer forensic traces, but they are still worth investigating when analyzing data exfiltration or suspicious activity.
Picture Transfer Protocol (PTP)
PTP is an older protocol designed for transferring images, videos, and related metadata. It only allows files to be copied from the device to a computer and does not support other file types.
Media Transfer Protocol (MTP)
MTP is an upgraded protocol introduced by Microsoft to support a wider variety of file types. Unlike PTP, MTP allows two-way file transfers and enables simultaneous access to storage by both the device and the computer.
In forensic investigations, MTP devices can be tricky. They don’t receive drive letters and are instead displayed under “Devices and Drives” in Windows 10+ or “Portable Devices” on older systems. Additionally, accessing files on MTP devices may not create typical artifacts like .LNK files.
To identify MTP or PTP devices, examine the following registry keys:
SYSTEM\<CurrentControlSet>\Enum\USBSOFTWARE\Microsoft\Windows Portable Devices\DevicesArtifacts like ShellBags and limited .LNK file records may also reference MTP.
What Happens?
When you open files from an MSC device (like a flash drive), you get these little LNK files. These files point back to what you opened and where it came from.
------------------------------------------------------------------------------------------------------------
Mass Storage Class (MSC) Devices
Mass storage devices, such as external hard drives and flash drives, are among the most common USB devices. They leave behind a wealth of artifacts and are essential to examine in forensic investigations.
Protocols for MSC Devices
USB Storage Port (USBSTOR): This protocol supports the traditional Bulk-Only Transport (BOT) method, which allows straightforward data transfer.
USB Attached SCSI Protocol (UASP): Introduced with USB 3.0, UASP enables faster, multi-threaded transfers and is commonly used with solid-state drives. UASP devices are recorded in the SCSI registry key rather than USBSTOR.
MSC devices typically appear with a drive letter and are fully accessible for file transfers. They are recorded in the registry under USBSTOR or SCSI, depending on the protocol.
------------------------------------------------------------------------------------------------------------
Key Forensic Takeaways
HID Devices:
Look for suspicious timestamps and unexpected devices in the HID registry key. Even if attackers spoof VID/PID, the timing can provide valuable clues.
MTP/PTP Devices:
These devices leave fewer traces but can serve as potential data exfiltration points. Investigate their registry entries and any associated ShellBag or .LNK file artifacts.
MSC Devices:
These devices leave behind the most artifacts, making them easier to analyze. Pay attention to whether they use USBSTOR or SCSI protocols, as modern devices increasingly rely on UASP.
By understanding these USB device types and the artifacts they leave behind, forensic investigators can better uncover and analyze suspicious activity on a system.
-----------------------------------------Dean------------------------------------
Comments