Search Results
327 items found for ""
- Exploring Magnet Encrypted Disk Detector (EDDv310)
Introduction In the world of digital forensics and incident response, determining if a computer’s drive is encrypted is a crucial step. Magnet Encrypted Disk Detector (EDDv310) is a powerful tool designed to quickly and non-intrusively check for encrypted volumes on a system. What is EDDv310? EDDv310, or Encrypted Disk Detector, is a command-line tool developed by Magnet Forensics. It helps you identify encrypted volumes on a computer, including those encrypted with TrueCrypt, PGP, VeraCrypt, Check Point, SafeBoot, and BitLocker. This tool is particularly useful during incident response, allowing you to decide whether a live acquisition is necessary to preserve evidence. Key Features Quick and Non-Intrusive: Scans for encrypted volumes without modifying the system. Supports Multiple Encryption Types: Detects TrueCrypt, PGP, VeraCrypt, Check Point, SafeBoot, and BitLocker encrypted volumes. Command-Line Interface: Simple and straightforward to use. Detailed Output: Provides information on the encryption status of drives, including OEM ID and volume labels where applicable. How to Use EDDv310 Download and Extract the Tool and double click it and wait for output :) Understanding the Output Once you run EDDv310, it will check the physical and logical drives on the system for encryption. The output will look similar to this: Interpreting the Results Physical Drive Check: EDDv310 first checks the physical drives for encryption. In the example above, it checks PhysicalDrive0 and reports its status. Logical Volume Check: The tool then checks the logical volumes (partitions) on the physical drives. Here, it lists details of Drive C: and Drive D:. Secondary Checks: EDDv310 performs additional checks for BitLocker and running processes related to encryption. Summary: Finally, the tool provides a summary, indicating whether any encrypted volumes were detected. Practical Uses Forensic Investigations EDDv310 helps forensic investigators quickly determine if a drive is encrypted, which is critical for deciding how to proceed with data acquisition and analysis. Incident Response During an incident response, knowing if a drive is encrypted can help responders take appropriate actions to secure and preserve evidence. Conclusion Magnet Encrypted Disk Detector (EDDv310) is an essential tool for anyone involved in digital forensics, incident response, or data security. Its ability to quickly and non-intrusively check for encrypted volumes makes it invaluable for ensuring that sensitive data is identified and handled appropriately. Akash Patel
- Unleashing the Power of DB Browser for Forensic Analysis
Introduction DB Browser, also known as SQLite Database Browser, is a powerful tool initially designed to create, search, and modify SQLite databases. Freely available, it has become a favorite not only for database administrators but also for forensic analysts. This blog will walk you through the process of extracting and analyzing browser artifacts using tools like Kape and DB Browser, focusing on popular browsers like Google Chrome, Firefox, and Internet Explorer. Extracting Browser Artifacts When conducting a forensic analysis, browser artifacts can provide invaluable insights. These artifacts include browsing history, cookies, cache, and other user activity data. One of the most efficient ways to extract these artifacts is by using Kape (Kroll Artifact Parser and Extractor), a robust tool favored by forensic analysts. Using Kape to Extract Artifacts To extract browser artifacts with Kape, follow these steps: Download and Install Kape: Ensure you have Kape installed on your system. Run Kape with the Following kape.exe --tsource C: --target WebBrowsers --tdest C:\Kape\Kapeoutput\ --vhdx output --tsource C:: The source drive (usually the C: drive). --target WebBrowsers: The target artifacts to extract, in this case, web browsers. --tdest C:\Kape\Kapeoutput\: The destination folder for the extracted artifacts. --vhdx output: Output in virtual hard disk format. Review the Output: Kape will generate an output containing browser artifacts in a drive format. Analyzing Artifacts with DB Browser Once you have extracted the artifacts, the next step is to analyze them using DB Browser. Steps to Analyze with DB Browser Install DB Browser: If you haven't already, download and install DB Browser from here. Open Artifacts in DB Browser: Navigate to the extracted artifacts. Right-click on the artifact file (usually a .sqlite file) and select "Open with DB Browser." 3. Explore the Data: Use the DB Browser interface to navigate through tables and records. 4. Convert Timestamps: Note that timestamps in browser artifacts are often in Unix epoch format. Use an epoch converter to transform these timestamps into readable date-time formats. For convenience, you can use online tools like Epoch Converter. Practical Tips for Forensic Analysis Identify Key Tables: Focus on tables that store user activity data such as history, cookies, and downloads. Use SQL Queries: Write custom SQL queries to extract specific information quickly. Correlate Data: Cross-reference data between different tables and artifacts to build a comprehensive timeline of user activity. Conclusion DB Browser, combined with Kape, provides a powerful toolkit for forensic analysis of browser artifacts. By following the steps outlined above, you can extract, analyze, and interpret data from popular web browsers, turning raw data into meaningful insights. Whether you're investigating a security incident or performing routine checks, these tools can significantly enhance your forensic capabilities. Akash Patel
- MetaDiver: A Comprehensive Forensic Analysis Tool( for metadata analysis)
MetaDiver is a powerful forensic tool designed to analyze and extract metadata from various file types. Overview of MetaDivera MetaDiver is a forensic analysis software that focuses on metadata extraction from digital files. It is particularly useful in digital forensics for uncovering hidden details about files, such as creation and modification dates, author information, and other metadata that can provide critical insights during investigations. Key Features and Functionalities Metadata Extraction: MetaDiver can extract a wide range of metadata from various file types, including documents, emails, images, and more. This metadata includes information such as file creation and modification dates, authorship, file paths, and more. Support for Multiple File Types: MetaDiver supports a diverse array of file formats, including but not limited to .DAT, .TXT, .PST, and .EML. This versatility makes it an invaluable tool for forensic analysts dealing with different types of data. Filtering and Search Capabilities: The software allows users to filter extensions and include subdirectories, making it easier to manage and locate relevant files within a case. The search functionality is robust, enabling analysts to quickly find specific metadata fields. Detailed Metadata View: MetaDiver provides a detailed view of all metadata fields associated with a file. This includes standard fields like file size and extension, as well as more specific fields such as email headers and binary strings. User-Friendly Interface: The software features an intuitive interface that guides users through the process of adding evidence, processing files, and reviewing metadata. The interface includes a work queue for managing multiple files and a review pane for detailed metadata analysis. Front Page: Types of Metadata Extracted MetaDiver can extract and display various types of metadata, as illustrated in the provided screenshots. Here are some examples: File Information: Basic details such as file extension, file size, and file paths. Date and Time Stamps: Metadata related to file creation, modification, and access dates. Authorship and Ownership: Information about the creator or author of the file. Email Metadata: For email files (.eml, .pst), MetaDiver can extract details such as sender and recipient addresses, subject lines, and email headers. Custom Metadata Fields: Specific metadata fields that might be unique to certain file types or generated by specific software. Detailed Analysis Example In the screenshots provided, MetaDiver processes and extracts metadata from several files: NTUSER.DAT: This file typically contains registry information and user activity data. ACTION NEEDED Email: Metadata for this .eml file includes the sender (akash patel), recipient (Axel Jeannot), and various email headers. This can be crucial in tracing communication patterns and verifying email authenticity. Sample .pst Files: These contain multiple email messages, with metadata such as file size, creation and modification dates, and subject lines of the emails. The extracted metadata provides forensic analysts with a wealth of information that can be used to build timelines, verify document authenticity, and uncover hidden details that might be crucial to an investigation. Conclusion MetaDiver is a versatile and robust tool for forensic analysis, offering comprehensive metadata extraction capabilities across a wide range of file types. Its user-friendly interface and powerful filtering and search functionalities make it an essential tool for digital forensic investigations. By uncovering and analyzing metadata, MetaDiver helps analysts piece together digital evidence, making it easier to solve cases and verify the authenticity of digital documents. Akash Patel
- KAPE: Few Use Cases for Incident Responders
After numerous requests, I've compiled a comprehensive list of practical use cases for KAPE (Kroll Artifact Parser and Extractor). This powerful tool can significantly enhance your investigative capabilities. Below are some everyday scenarios where KAPE can be invaluable: 1. Check UserAssist for Executed Programs 2. Check Amcache and ShimCache for Executed Programs 3. Check LNK Files for Opened Files 4. Check JumpLists (Automatic Destinations) for Opened Files 5. Check $MFT for File Creation Dates of Illicit Images, Videos, etc. 6. Check $MFT and USN Journal for File Knowledge 7. Check $l and $R Files in the Recycle Bin for Evidence of File Deletion 8. Check Volume Shadow Copies for Evidence of Files That May Not Exist on the Current Image 9. Check Prefetch Files for Executed Applications and Their Frequency 10. Check ShellBags for Accessed Folders and Their Timestamps 11. Check Windows Event Logs for Login Attempts, System Errors, and Security Events 12. Check Browser History and Cache for User Internet Activity 13. Check Windows Registry for Startup Programs and Persistence Mechanisms 14. Check Scheduled Tasks for Unauthorized or Suspicious Tasks 15. Check RecentDocs for Recently Accessed Documents 16. Check Network Logs and DNS Cache for Evidence of Suspicious Network Activity 17. Check System Restore Points for Deleted or Altered Files 18. Check Email Clients' Databases for Evidence of Communication 19. Check Installed Software Logs for Traces of Malicious Applications 20. Check Pagefile and Hibernation File for Residual Data of Active Sessions The pagefile and hibernation file can contain remnants of data from active sessions, potentially revealing important forensic artifacts. By integrating KAPE into your digital forensic and incident response workflows, you can streamline your investigations and enhance your ability to uncover critical evidence. Whether you are dealing with user activity, file access, or system anomalies. Akash Patel
- Understanding and Managing Thumbnail Cache in Windows: Tools thumbcache_viewer_64
Introduction Thumbnail cache in Windows is an essential feature that helps speed up the display of folders by storing thumbnail images. Tools = Thumbcache Viewer. What is Thumbnail Cache? The thumbnail cache is a set of database files used by Windows to store thumbnail images of files and folders. This cache allows Windows to quickly display thumbnails without needing to regenerate them each time you open a folder. Location of Thumbnail Cache Files Windows 10, 11, and 8 In these versions, the thumbnail cache files are stored in the following directory: C:\Users\\AppData\Local\Microsoft\Windows\Explorer : Replace this with your actual Windows username. To access this folder: Press Win + R to open the Run dialog. Type %localappdata%\Microsoft\Windows\Explorer and press Enter. Windows 7 The location is similar to newer versions: C:\Users\\AppData\Local\Microsoft\Windows\Explorer To access this folder: Press Win + R to open the Run dialog. Type %localappdata%\Microsoft\Windows\Explorer and press Enter. Types of Files in Thumbnail Cache In the Explorer folder, you will find several files, each representing different sizes and types of thumbnails. These include: thumbcache_32.db: Thumbnails of size 32x32 pixels. thumbcache_96.db: Thumbnails of size 96x96 pixels. thumbcache_256.db: Thumbnails of size 256x256 pixels. thumbcache_1024.db: Thumbnails of size 1024x1024 pixels. thumbcache_idx.db: Index file for the thumbnails. Viewing Thumbnail Cache Files To view the contents of these thumbnail cache files, you can use a tool like Thumbcache Viewer. This tool allows you to open and examine the thumbnail cache database files. Using Thumbcache Viewer Thumbcache Viewer is a free tool that supports Windows 7 to Windows 10 thumbnails. Here’s how to use it: Download Thumbcache Viewer: Install the Tool: Open Thumbnail Cache Files: Launch Thumbcache Viewer and open the thumbnail cache files located in the Explorer directory. View Thumbnails: The tool will display the thumbnails stored in the cache, allowing you to browse and inspect them. Practical Uses Forensics and Investigation For forensic investigators, examining thumbnail cache files can reveal important information about files and images that were present on the system. Using tools like Thumbcache Viewer, investigators can recover thumbnails of deleted files, providing crucial evidence. Conclusion The thumbnail cache in Windows is a useful feature that enhances the user experience by speeding up folder display. Knowing how to access, view, and manage these cache files can be beneficial for both everyday users and professionals. Tools like Thumbcache Viewer make it easy to inspect these files, and regular maintenance can help keep your system running smoothly. Akash Patel
- KAPE: A Detailed Exploration
Introduction: KAPE, can be used in graphical user interface (GUI), and can be used via the command line interface (CMD). Users typically run KAPE from the command prompt, providing it with the necessary parameters to specify the artifacts they want to collect and the output location. GUI Based: We'll walk through the process of using Kape for evidence acquisition and processing. Kape, written by Eric Zimmerman, is a powerful tool used in digital forensics and incident response. 1. Enable Targets: • At the top left, spot number one, you need to enter the Target source. For our example, we're choosing the C drive. • For the Target destination, spot number two, we'll use C:\temp\T_out. "T_out" is a common naming convention for Target output. 2. Select Kape Triage Target: • At spot number two, we are selecting Kape triage. This is a compound Target that gathers various artifacts like registry hives, event logs, and evidence of execution. (total target around more than 220. It depend on analyst/investigator what he wants to collect) 3. Enable Modules: • At spot number three, check the box to enable the module side of Kape (GK). • Specify a module destination, which is where parsed output will reside. For our example, C:\temp\M_out (module output). 4. Choose !EZParser Module: (Depend upon analyst) • Below that, we are selecting the !EZParser module. This module runs all of Eric Zimmerman's tools against the data grabbed by the Kape triage Target. This combination simplifies parsing using the Easy Parser tool. 5. Select CSV as Output Format: • At spot number four, choose CSV as the default output. Eric Zimmerman's tools commonly support CSV output. 6. Enable Debug Messages: • At spot number five, it's advisable to enable debug messages. While it outputs more messages to the console, these are immensely helpful for troubleshooting issues during acquisition or processing. 7. Execute the Command: • At spot number six, once you have satisfied all the necessary configurations, click the "Execute" button. This initiates the command and begins the acquisition and processing of data. Accessing Evidence: • There are two main ways to access evidence: running Kape on a live system or mounting a forensic image. It's recommended to use Arsenal Image Mounter for handling forensic images. • The typical Kape workflow involves using the Kape triage Target and the !EZParser module. This combination covers a broad spectrum of common artifacts. As you become more comfortable, you can customize your own Kape recipe to suit specific acquisition and processing needs. Kape Targets: Kape targets are collections of relevant files and directories, defined and customizable through YAML files hosted on GitHub in the Kape Files repository. These targets can focus on files locked by the operating system, preserving original timestamps and metadata. Files locked by the OS are added to a secondary queue, visible in the console log. Even if the console log might indicate certain files weren't grabbed, they were added to the secondary queue, processed using raw disk reads to bypass operating system locks. The Kape folder contains subfolders for targets, such as "Disabled, Antivirus ,Apps," each representing a different collection of artifacts. Targets in the "Disabled" folder won't show up in Kape and cannot be used by it When examining a compound target like "Kape Triage," drilling down through associated targets in the Kape folder reveals the specific files and directories being captured Kape Modules: Kape modules serve as mechanisms to run command-line tools against collected files. They are predefined and customizable, grouping artifacts into categories. The category name becomes the output folder's name. Modules facilitate live response scenarios, offering multiple modules geared towards this purpose. Modules are responsible for processing collected artifacts, and they are grouped into categories, with each category defining the name of the output folder. Modules are highly customizable, allowing users to tailor them to their specific needs. Special programs and scripts can also be employed through modules. The Kape Modules folder, like the Targets folder, contains a "Disabled" subfolder. Placing modules here prevents them from appearing in Gkape or being used by kape. The "Bin" folder within the Modules directory is crucial, housing executables that modules call upon. This ensures that third-party tools, not shipped with Kape, are accessible for module execution. Using the EzParser module simplifies this process, as it seamlessly integrates with Eric Zimmerman's tools. The below Screenshot illustrates the process of examining the EzParser module, which then points to the EVTXecmd module. Each module specifies the binaries it uses, emphasizing the importance of organizing executables in the "Bin" folder for seamless module execution. If you prefer a user-friendly graphical interface, the GUI version of KAPE is an excellent choice. However, for those who appreciate the precision and control of the command line, KAPE also offers a robust command-line interface (CMD). A noteworthy feature of the GUI version is its automatic generation of command-line instructions based on the selections you make. As you navigate through the graphical interface and choose the specific options and artifacts you need, the corresponding command is seamlessly composed. This ensures a smooth transition between the user-friendly GUI and the powerful flexibility of the command line. For a quick and efficient workflow, take advantage of the visual cues provided by the GUI, and observe how the selected options translate into a well-structured command. Whether you opt for the ease of the GUI or the command-line precision, KAPE caters to both preferences, offering a versatile solution for digital forensics and incident response tasks." If you choose to enable only the target for collection, KAPE delivers raw forensic data—a comprehensive snapshot of the specified target. This raw data is invaluable for detailed analysis and investigation. On the other hand, for users seeking a more structured and parsed output, KAPE's modular capabilities come into play. By combining the selection of specific modules with the target, KAPE not only captures the raw data but also processes and organizes it into user-friendly formats such as CSV or TXT. This dual-output feature ensures that users have access to both the unfiltered raw data and the parsed, structured results. Integration Possibilities: While Kape itself doesn't integrate into Splunk directly, but the investigators can ingest CSVs into Splunk. Hash Sets and Cloud Data Collection: Kape allows excluding certain files with hash sets, it doesn't restrict the search to specific file types. This emphasizes Kape's flexibility while outlining its approach to hash-based exclusions. Furthermore, collecting data from cloud storage services, such as OneDrive, Google Drive, Dropbox, and Box is done by Kape. But Legal considerations regarding search warrants and authorization for cloud data access. Akash Patel
- Streamlining USB Device Identification with a Single Script
Identifying and analyzing USB device details can be a tedious and time-consuming task. It often requires combing through various system registries and logs to gather information about connected USB devices. As a cybersecurity professional, having an efficient way to automate this process can save valuable time and reduce errors. In this blog, I will share a script that simplifies the task of identifying USB device details. This script gathers all necessary information in one go, making the process more efficient. Additionally, you can find this script integrated into my endpoint data capture tool, which is detailed in my previous blog. The script is also available on the resume page of my portfolio. USB Device Information Before diving into the script, let’s look at the kind of information we aim to extract: Serial Number: Unique identifier for the USB device. Friendly Name: User-friendly name of the USB device. Mounted Name: Drive letter assigned to the USB device. First Time Connection: Timestamp of the first connection. Last Time Connection: Timestamp of the last connection. VID: Vendor ID of the USB device. PID: Product ID of the USB device. Connected Now: Indicates if the device is currently connected. User Name: The username that initiated the connection. DiskID: Unique identifier for the disk. ClassGUID: Class GUID of the device. VolumeGUID: Volume GUID of the device (if available). If you run the script in Powershell you will get out like below: If you run my script which you can find under resume page. you will get output like below Conclusion Identifying USB details can indeed be a hectic task when done manually by digging through system registries. However, with the help of automation scripts like the one shared above, the process can become much more manageable and efficient Akash Patel
- USB MSC Device Forensics: A Quick Guide for Windows
Hey there, tech detectives! If you're digging into USB devices on Windows 7 to 10, here's a handy guide to help you gather all the important details. Let's get started! 1. Vendor, Product, Version Path: SYSTEM\CurrentControlSet\Enum\USBSTOR Vendor: Product: Version: 2. USB Unique Serial Number ID Path: SYSTEM\CurrentControlSet\Enum\USB USB Unique Serial Number ID: 3. Vendor-ID (VID) and Product-ID (PID) Path: SYSTEM\CurrentControlSet\Enum\USB --> Perform search for UB S/N VID: PID: 4. Volume GUIDs Path: SYSTEM\MountedDevices -->Search Serial Number in drive letter VolumeGUID: 5. Drive Letter Path: SYSTEM\MountedDevices --> Search for Volume GUID in drive letter Drive Letter: Or NTUSER.DAT\Software\Microsoft\ Windows\CurrentVersion\Explorer\RecentDocs -> Perform Search for Volume Name Or Perform Shortcut (LNK) file analysis-> Perform Search for Volume Name Drive Letter= 6. Volume Name Path: SOFTWARE\Microsoft\Windows Portable Devices\Devices --> Search USB serial number an match with volume name Volume Name: Drive Letter (VISTA ONLY): 7. Volume Serial Number Path: SOFTWARE\Microsoft\WindowsNT\CurrentVersion\EMDMgmt --> Search volume name/Serial Number. Convert Serial number to hex value for link analysis. Volume Serial Number (HEX): 8. User of USB Device Path: NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2 -->Search for GUID User: 9. First Time Device Connected Path: C:\Windows\inf\setupapi.dev.log -->Search unique serial number Time/Timezone: SYSTEM\CurrentControlSet\Enum\USBSTOR\ Ven Prod_ Version\USB iSerial #\Properties\ {83da6326-97a6-4088-9453-a1923f573b29} \0064 ->Value= Windows 64-Bit Hex Value timestamp - Use DCodeDate 10. Last Time Device Connected Path: SYSTEM\CurrentControlSet\Enum\USB\VID_XXXX&PID_YYYY -->Search serial number Time/Timezone: or NTUSER//Software/Microsoft/Windows/CurrentVersion/Explorer/MountPoints2/{GUID} -> Perform search for Device { GUID} Time/Timezone = SYSTEM\CurrentControlSet\Enum\USBSTOR\ Ven_Prod_ Version\USB iSerial #\Properties\ {83da6326-97a6-4088-9453-a1923f573b29}\0066 ->Value= Windows 64-Bit Hex Value timestamp - Use DCodeDate 11. Time Device Removed SYSTEM\CurrentControlSet\Enum\USBSTOR\ Ven Prod_ Version\USB iSerial #\Properties\ {83da6326-97a6-4088-9453-a1923f573b29}\0067 ->Value= Windows 64-Bit Hex Value timestamp - Use DCodeDate Tips for Timestamps For Windows 64-bit Hex Value timestamps, use DCodeDate to decode them. There you go! Keep this guide handy, and you'll be a USB forensics whiz in no time. Happy investigating! Akash Patel
- Optional: If EMDMgmt Key Present (Finding Your USB's Volume Serial Number)
So, you've found those Windows logs and you're curious about what else you can track? Let's talk about the Volume Serial Number, a nifty identifier that can help you match USB devices to logs. What's a Volume Serial Number? The Volume Serial Number is like a fingerprint for your USB or any drive. It's created when the drive is formatted and is unique to each filesystem (FAT, exFAT, NTFS). Where Can I Find It? You won't see this number everywhere, but when you do, it's gold! One place to look is the EMDMgmt key in your Windows Registry. This key stores info about USB devices, especially if you've used ReadyBoost. Steps to Find Volume Serial Number: Check the Volume Info: Use a tool like vol.exe to find the Volume Label and Serial Number of your USB. Look in the Registry: Open Regedit and navigate to SOFTWARE\Microsoft\Windows NT\CurrentVersion\EMDMgmt. Search for your USB's Unique Serial Number or Volume Name. The last number you see there is your Volume Serial Number in decimal form. Convert to Hex: Take that decimal number and plug it into a calculator. Switch your calculator to Hex mode to see the Volume Serial Number in hex. Why Bother? You might think, "Why do I need this number?" Well, it's super useful for tracking! You can use it to: Check the USB's usage history. Analyze recent documents or shortcuts linked to the USB. A Quick Example: Let's say you have a USB with the Unique Serial Number A270010C4E86E. Registry Check: Go to SOFTWARE\Microsoft\Windows NT\CurrentVersion\EMDMgmt. Find A270010C4E86E and see the last integer. Decimal to Hex: Convert that last integer to hex using your calculator. Now, you've got your Volume Serial Number! Store it somewhere safe because this number stays the same even if you reformat the USB. In Conclusion: The Volume Serial Number might seem like a small detail, but it's a big help when you're digging through logs or tracking USB activity. So next time you're snooping around Windows logs, keep an eye out for this handy identifier! Akash Patel
- Event Logging for Removable Device Activity
1. The "I Just Plugged In a USB" Log (Event ID 20001) (System Logs) When you plug in a USB or any device, Windows often tries to install its drivers automatically. This action creates an "Event ID 20001" in the system logs. What's in it? When: The exact time the device was plugged in. What: Device name, vendor info, and a serial number (if it has one). Status: Tells you if the device was set up without any issues. 2. More About Your Devices (DriverFrameworks Log) Windows 7 and up keep track of when devices connect and disconnect. This log, known as DriverFrameworks UserMode, is your go-to. (Microsoft-Windows-DriverFrameworks-UserMode/Operational.log) What it tells you: Device connection and disconnection times. 3. Who Did What with Which USB (Event ID 4663) Windows can also log what happens with files and folders on removable devices. This log, called Event ID 4663, is super handy. Why it's cool: It links user accounts with device actions, like copying a file. What it logs: Record of BYOD (Bring Your Own Device) usage after auditing is configured. 4. Missed Attempts (Event ID 4656) Ever had trouble accessing a USB? Windows might not let you in due to some security settings. Event ID 4656 can show these failed attempts. What it shows: Failed access to removable devices. 5. All About Plugging and Playing (Event ID 6416) Within the Advanced Audit Policy Configuration, a new option can be added under "Detailed Tracking". lf"Audit PNP Activity" is enabled (it is not on by default), the Security log will record an event every time a Plug and Play device is added to the system. While the audit policy allows for both success and failure auditing, only successful attempts are logged in practice. Want a centralized log of all device additions? Event ID 6416 logs every time a device is plugged in. Why it's good: Detailed hardware info and it's all in one place. 6. BitLocker Logs (MBAM) If your computer uses BitLocker for encryption, MBAM/Operational log can tell you when removable media gets mounted or dismounted. Why it's handy: Helps tie events to specific devices using volume GUIDs. Tip:- "Audit Removable Storage" (EID 4663) and "Audit Plug and Play Activity" (EID 6416) enabled. Both Event ID complement each other very well (And using both easily identified which user using timestamp) So, What's the Scoop? Windows logs are like a treasure trove for anyone curious about device activity. You can see when devices were plugged in, what was done with them, and even who did it. Sure, it's not always straightforward. Sometimes you'll need to piece together info from different logs. But with a bit of patience, you'll get the full picture of your device's journey. Update: Windows 11 and Beyond With Windows 11, the logging game has gotten even better. Now, you can see even more detailed hardware information, making it easier to identify which device is which. So, if you're running Windows 11 or planning to, you're in for an even more detailed log-reading adventure! Akash Patel
- Drive Letter Identification and Volume GUID and User Mapping
Overview: The process of tracking USB devices and identifying their last known drive letters involves extracting and interpreting specific information from the Windows registry. This process is vital for forensic investigations to trace device activities and understand drive mappings. MSC Only:- Steps to Find Last Drive Letter of a USB Device: Retrieve Device Serial Number: Retrieve the device Serial Number from the USBSTOR registry key, which was stored earlier. Examine SYSTEM Hive and MountedDevices Key: Open the SYSTEM hive from the Windows registry. Navigate to HKEY_LOCAL_MACHINE\SYSTEM\MountedDevices. Find Drive Letter Using Serial Number: Search for the device Serial Number within the MountedDevices key. The last device associated with a drive letter will have its Serial Number listed. This indicates the drive letter assigned to that specific device. Importance of Volume GUID: This GUID helps to identify the user who plugged in the device and provides a timestamp of when the device was last connected by that user. Steps to Locate Volume GUID: Search MountedDevices for Serial Number: Look for the device's Serial Number within the data values of the various GUIDs in SYSTEM\MountedDevices. Identify the Relevant GUID: Once the Serial Number is located, determine the corresponding GUID and note it down. Mapping GUID to User: NTUSER.DAT Hive: Use the noted GUID to search through the MountPoints2 key in the user's NTUSER.DAT hive. This key is located at NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\Mountpoints2. Mapping to User: Each Volume GUID listed under MountPoints2 corresponds to a different local or removable drive connected to the system. The Volume Serial Number from SYSTEM\MountedDevices should match one of the entries in MountPoints2, helping to identify the user associated with the device. Additional Information in MountPoints2: Network Shares: MountPoints2 also contains details of network shares accessed by the user. Forensic Significance: In intrusion cases, unauthorized access to a remote share using net.exe can leave forensic artifacts in MountPoints2. Conclusion: " MountedDevices "It provides insights into the physical drives, partitions, drive letter mappings, and other crucial information related to connected USB devices. The Volume GUID serves as a bridge between the USB device and the user who connected it. By matching the Volume GUID from SYSTEM\MountedDevices with the entries in MountPoints2 under the user's NTUSER.DAT, forensic investigators can accurately determine which user plugged in a specific USB device and when. Akash Patel
- Tracking USB Key Temporal Data on Windows Systems
When it comes to USB key forensics, understanding the timeline of device connections and disconnections can be crucial. Let's dive into the three key temporal data points you can track: First Time Device Connected Last Time Device Connected Removal Time New Times in Windows 8+ Registry Structure In Windows 8 and above, you'll find additional timestamp information in the USBStor registry key, specifically under the Properties key with the GUID {83da6326-97a6-4088-9453-a1923f573b29}. 0064: First Install Date of the device (Windows 7 and Win8) 0066: Last Connected Date of the device (Windows 8+ only) 0067: Last Removal Date (Windows 8+ only) Locations to Find Temporal Data First Install Date Registry Path: SYSTEM\CurrentControlSet\Enum\USBSTOR\Device-Class\Device-SerialNumber\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0064 Last Connected Date Registry Path: SYSTEM\CurrentControlSet\Enum\USBSTOR\Device-Class\Device-SerialNumber\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0066 Last Removal Date Registry Path: SYSTEM\CurrentControlSet\Enum\USBSTOR\Device-Class\Device-SerialNumber\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0067 Identifying First Time Device Was Installed Search for Unique Serial Number: Use the unique Serial Number of the USB device to search within setupapi.dev.log. This will allow you to identify when the device was first plugged into the Windows system. XP: C:\Windows\setupapi.log Vista+: C:\Windows\inf\setupapi.dev.log Alternative Locations for Last Time Device Connected Serial Number Key Registry Path: SYSTEM\CurrentControlSet\Enum\USB\VID XXXX&PID YYYY Look for the last written time of the Serial Number Key Volume GUID Registry Path: NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{GUID} Look for the last written time of the Volume GUID Why This Data is Useful Validation: Confirms information from other sources like setupapi.dev.log and MountPoints2 in the NTUSER.DAT hive. Device Removal: This is the first logging method that shows when a device was removed, which is a significant find. Converting Hex Timestamp to Human-Readable Date You'll notice that these timestamps are in Windows 64-Bit Hex Value format. You can convert these to human-readable dates using various tools. Akash Patel