Eng Tha
 
 
Microsoft Windows 10 USB Forensic Artefacts 18/09/2015


As the capacity of USB storage devices continues to increase and the price decreases, USB forensics will often play an important part in many forensic investigations. Add to the mix a range of mobile devices such as smart phones, tablets, digital cameras and the ease of connectivity means that there are a lot of USB artefacts to be found if we know where to look. For example in Windows 7, the Microsoft-Windows-DriverFrameworks-UserMode%4Operational.evtx log file contains useful information such as time stamps for the connection and disconnection of USB removable drives.

Many portable devices such as smart phones support the Media Transfer Protocol (MTP) and as a result we need to be looking in additional locations such as HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Portable Devices.

    When the investigation involves USB devices the questions that often need to be answered include:
  • What devices have been connected to the computer?
  • When were the devices connected?
  • Who connected the USB device to the computer?
  • Was any data transferred to the USB device?

After returning from a trip to the UK in June this year and as a result of a discussion on USB artefacts with a former colleague, I felt inspired to do some research of my own. My aim was to create a portable tool that would collect the USB artefacts from all the different locations and present the results so the investigator can easily answer most of the above questions using just one tool. The result was a tool called USB Forensic Tracker.

I recently took the plunge and installed Windows 10 Professional on my laptop and I have to say I like it. I decided to take the opportunity to see if Windows 10 would offer any new locations where we may be able to recover USB artefacts. The main focus for this initial research was the log files within the following location: "C:\Windows\System32\winevt\Logs".

Below are details of my initial findings:

“C:\Windows\System32\winevt\Logs\Microsoft-Windows-Storage-ClassPnP%4Operational.evtx"

  • The content of my log file contained 199 entries. All of them were error level entries and related to USB devices that had been connected to my computer
  • The entries included details of the USB devices including vendor details, model details, firmware version and serial number of the devices
  • There is a time and date stamp for the entries that could be used to show when the devices were connected
  • Entries appeared for USB removable pen drives, USB fixed hard drives and pen drives that appear as fixed drives
  • Entries also appeared for my laptop internal hard drive
  • No entries seem to appear in the log file for MPT devices
  • The log entries also include a device number. When a USB device is connected it will be device number 1. If the first device is still connected when another USB device is connected, the second device will become device number 2 and so on.
  • Below are details of the Event ID’s found in the log file. The Event ID 507 was the most common one found followed by Event ID 504.
I also wanted to see if we could find evidence of MTP devices having been connected to the computer.
Below are details of my initial findings:
“C:\Windows\System32\winevt\Logs\Microsoft-Windows-WPD-MTPClassDriver%4Operational.evtx"
This log file was also present on Windows 7 but was not present on my Windows 8.1 test machine.
    For my testing I used a Samsung Galaxy S5.
  • Every time the device was connected to the computer, information entries were created in the log file.
  • The entries provide a time and date stamp that can be used to show when a device was connected
  • Unfortunately no details such as make or model of device are included in the log entries
  • Below are details of the Event ID’s found in the log file.
USB Forensic Tracker has been updated to extract USB artefacts from the above locations.
Orion Forensics News
 
 
 
Orion Investigations Co Ltd
16th, 20th,25th Floor, Unit 1601,2001-2002,2501 BBC Building,
29 Sukhumvit 63 North Kong Tan, Wattana, Bangkok 10110 Thailand.
Tel : +66-2-7143801 to 3 Fax : +66 (0) 2 714 3804
Email : hi-tech@orioninv.co.th or forensics@orionforensics.com
A Member Of
   
Copyright © 2013 Orion Investigation Co., Ltd.