Scribd
Upload
119 views5 pages

Usb Device Forensics XP Guide-1

This document outlines the steps to profile USB devices connected to a Windows XP system for forensic analysis: (1) record identifying information for each device from system registry keys and log files, (2) determine which user and dates each device was connected, (3) repeat the process for each USB device connected to the system.

Uploaded by

John Yeung
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
119 views5 pages

Usb Device Forensics XP Guide-1

This document outlines the steps to profile USB devices connected to a Windows XP system for forensic analysis: (1) record identifying information for each device from system registry keys and log files, (2) determine which user and dates each device was connected, (3) repeat the process for each USB device connected to the system.

Uploaded by

John Yeung
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 5

How to Approach USB Key Forensics on XP

1. Write Down Vendor, Product, Version


SYSTEM\CurrentControlSet\Enum\USBSTOR

2. Write Down Serial Number


SYSTEM\CurrentControlSet\Enum\USBSTOR

3. Determine Parent Prefix ID


SYSTEM\CurrentControlSet\Enum\USBSTOR

4. Determine Drive Letter Device Mapped To


SYSTEM\MountedDevices

Perform search for Parent Prefix ID

5. Write Down Volume GUIDs


SYSTEM\MountedDevices

Perform Search for Parent Prefix ID

6. Find User That Used The Specific USB Device


NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2

Search for Device GUID

7. 7 Determine Last Time Device Connected


SYSTEM\CurrentControlSet\Control\DeviceClasses\{53f56307-b6bf-11d0-94f2-00a0c91efb8b}

Perform search for S/N

C:\Windows\setupapi.log

8. Discover First Time Device Connected

Perform search for Serial Number

http://forensics.sans.org

http://twitter.com/sansforensics

ProfileXPUSBDevices
USBDEVICE1
1.WriteDownVendor,Product,Version SYSTEM\CurrentControlSet\Enum\USBSTOR 2.WriteDownSerialNumbers SYSTEM\CurrentControlSet\Enum\USBSTOR 3.DetermineParentPrefixID SYSTEM\CurrentControlSet\Enum\USBSTOR 4.DetermineDriveLetterDeviceMappedTo SYSTEM\MountedDevices-> Performsearchfor ParentPrefixID 5.WriteDownVolumeGUIDs SYSTEM\MountedDevices-> PerformSearchfor ParentPrefixID 6.FindUserThatUsedTheSpecificUSBDevice NTUSER.DAT\Software\Microsoft\Windows\ CurrentVersion\Explorer\MountPoints2-> SearchforDeviceGUID 7.DetermineLastTimeDeviceConnected SYSTEM\CurrentControlSet\Control\Devic eClasses\{53f56307-b6bf-11d0-94f200a0c91efb8b}-> PerformsearchforS/N 8.DiscoverFirstTimeDeviceConnected C:\Windows\setupapi.log >Performsearch forSerialNumber


USBDEVICE2
1.WriteDownVendor,Product,Version SYSTEM\CurrentControlSet\Enum\USBSTOR 2.WriteDownSerialNumbers SYSTEM\CurrentControlSet\Enum\USBSTOR 3.DetermineParentPrefixID SYSTEM\CurrentControlSet\Enum\USBSTOR 4.DetermineDriveLetterDeviceMappedTo SYSTEM\MountedDevices-> Performsearchfor ParentPrefixID 5.WriteDownVolumeGUIDs SYSTEM\MountedDevices-> PerformSearchfor ParentPrefixID 6.FindUserThatUsedTheSpecificUSBDevice NTUSER.DAT\Software\Microsoft\Windows\ CurrentVersion\Explorer\MountPoints2-> SearchforDeviceGUID 7.DetermineLastTimeDeviceConnected SYSTEM\CurrentControlSet\Control\Devic eClasses\{53f56307-b6bf-11d0-94f200a0c91efb8b}-> PerformsearchforS/N 8.DiscoverFirstTimeDeviceConnected C:\Windows\setupapi.log >Performsearch forSerialNumber


USBDEVICE3
1.WriteDownVendor,Product,Version SYSTEM\CurrentControlSet\Enum\USBSTOR 2.WriteDownSerialNumbers SYSTEM\CurrentControlSet\Enum\USBSTOR 3.DetermineParentPrefixID SYSTEM\CurrentControlSet\Enum\USBSTOR 4.DetermineDriveLetterDeviceMappedTo SYSTEM\MountedDevices-> Performsearchfor ParentPrefixID 5.WriteDownVolumeGUIDs SYSTEM\MountedDevices-> PerformSearchfor ParentPrefixID 6.FindUserThatUsedTheSpecificUSBDevice NTUSER.DAT\Software\Microsoft\Windows\ CurrentVersion\Explorer\MountPoints2-> SearchforDeviceGUID 7.DetermineLastTimeDeviceConnected SYSTEM\CurrentControlSet\Control\Devic eClasses\{53f56307-b6bf-11d0-94f200a0c91efb8b}-> PerformsearchforS/N 8.DiscoverFirstTimeDeviceConnected C:\Windows\setupapi.log >Performsearch forSerialNumber


USBDEVICE4
1.WriteDownVendor,Product,Version SYSTEM\CurrentControlSet\Enum\USBSTOR 2.WriteDownSerialNumbers SYSTEM\CurrentControlSet\Enum\USBSTOR 3.DetermineParentPrefixID SYSTEM\CurrentControlSet\Enum\USBSTOR 4.DetermineDriveLetterDeviceMappedTo SYSTEM\MountedDevices-> Performsearchfor ParentPrefixID 5.WriteDownVolumeGUIDs SYSTEM\MountedDevices-> PerformSearchfor ParentPrefixID 6.FindUserThatUsedTheSpecificUSBDevice NTUSER.DAT\Software\Microsoft\Windows\ CurrentVersion\Explorer\MountPoints2-> SearchforDeviceGUID 7.DetermineLastTimeDeviceConnected SYSTEM\CurrentControlSet\Control\Devic eClasses\{53f56307-b6bf-11d0-94f200a0c91efb8b}-> PerformsearchforS/N 8.DiscoverFirstTimeDeviceConnected C:\Windows\setupapi.log >Performsearch forSerialNumber

You might also like