USB Devices Redux

This article has been indexed from

Windows Incident Response

Back in 2005, Cory Altheide and I published the first paper on tracking USB storage devices across Windows systems; at the time, the focus was Windows XP. A lot has happened since then…I know, that’s an understatement…as the Windows platform has developed and expanded, initially with Vista, then Windows 7, and even with Windows 10 there have been developments that have come (and gone) just between the various Win10 builds.

With respect to USB devices in particular, not long ago, we (the community) became aware that the Microsoft-Windows-DriverFrameworks-UserMode/Operational Event Log contained quite a bit of information (see this post for event IDs to track) that a digital forensic analyst could use to determine if and when USB devices had been connected to (and disconnected from) the system. This was a pretty profound finding, and very valuable…and then, for some unknown reason, that Windows Event Log was disabled by default. 
Also, in researching information for this topic, I found that the EMDMgmt key in the Software hive, which is associated with ReadyBoost and provided insight into USB-connected devices, is no longer available either. Okay, so one less artifact, one artifact removed from the constellation…now we just need to adapt.
This is really nothing new, to be honest. DFIR analysts need to be adaptable, regardless of whether we’re in a consultant or FTE role. If you’re a consultant, you’re going to see a new environment on every engagement, and there will be new things to deal with and discover. A while back, a teammate discovered that the customer had LANDesk installed on their systems, and the software monitoring component recorded a great deal of information regarding executed processes right there in the Registry. It’s not too different in an internal, FTE role, as you’re likely going to run across legacy builds, software loads that haven’t been/can’t be updated for some reas

[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.

Read the original article: