GameDevSoft is a software development company which is mainly known for game development. An employee in the main office was seen using his colleague's computer and had plugged in a USB on that computer too. When he was confronted about this incident, he said that he was helping fix an issue and that he never plugged any USB to this computer!
Evidence given: WindowsRegistry folder [located at C:\DFP\Labs\Module6\Lab16\WindowsRegistry] includes:
The good thing about analyzing Windows Registry Artifacts using RegRipper is that it is so easy. RegRipper performs a lot of analysis activities in the background though! We will be using the GUI version named rr.exe, but there is also a CLI version. 😊
Let's start RegRipper and load the SYSTEM registry file. All you need to do is double-click on the rr.exe file found in the RegRipper2.8-master directory. After running the application, make sure you select the file you want to analyze by pressing the "Browse" button and selecting the "SYSTEM" file. Then, press the other "Browse" button to specify where you want to store the results of the analysis that RegRipper will be doing for you. Finally, make sure that you select "system" from the drop-down profile list, even if it does not show in the list, just use the keyboard arrows to select it. With that done, you should have something like the following:
Now all you need to do is press the "Rip It" button.
RegRipper will do all the analysis, and then you will get a message saying that all is done. When you reach that point, you can move on to the second part of the analysis, that you must do yourself.
As previously mentioned, the USB details are usually stored in the USBSTOR registry key, which is located in the SYSTEM registry file in the following path:
SYSTEM\CurrentControlSet\Enum\USBSTOR
Open the SYSTEM-RegReport.txt file using Notepad++ and search for the USBSTOR keyword and find the line where it shows the "ControlSet001\Enum\USBStor". Remember that it will not always start with "ControlSet001". As you may recall from our Registry Forensic analysis, this depends on the Control Set we are working with. For this case, it was ControlSet001. Now, I assume you found the following results:
Disk&Ven_Imation&Prod_Nano_Pro&Rev_PMAP [Tue Jun 21 01:53:14 2016]
​ S/N: 07B20C03C80830A9&0 [Tue Jun 21 01:53:14 2016]
​ Device Parameters LastWrite: [Tue Jun 21 01:53:14 2016]
​ Properties LastWrite : [Tue Jun 21 01:53:15 2016]
​ FriendlyName : Imation Nano Pro USB Device
Disk&Ven_Lexar&Prod_JumpDrive&Rev_1100 [Tue Jun 21 02:01:59 2016]
​ S/N: AAI6UXDKZDV8E9OU&0 [Tue Jun 21 02:01:59 2016]
​ Device Parameters LastWrite: [Tue Jun 21 02:01:59 2016]
​ Properties LastWrite : [Tue Jun 21 02:02:00 2016]
​ FriendlyName : Lexar JumpDrive USB Device**
Based on the results, we might have two entries here. Let's continue our analysis by analyzing the entries we found here and see what the vendors, product names, etc. are. The format used in a USBSTOR is shown above:
DISK&Ven_{Name}&Prod_{Name}&Rev_{Value}
So, for the first entry, we have:
While, for the second entry we have:
By the way, from the results we got, it is clear that each device was used exactly 1 second after it was first connected to the system.
Now, we need to check the drive letter of the USBs that have been used on this system. This can be done by going to the location below:
SYSTEM\MountedDevices
So, in the results of RegRipper, search for the "MountedDevices" keyword. I assume you found the entries below.
MountedDevices
LastWrite time = Tue Jun 21 02:01:59 2016Z
\DosDevices\C:
Drive Signature = 3a db 0d ca
\??\Volume{32138f1e-3788-11e6-8250-806e6f6e6963}
Drive Signature = 3a db 0d ca
\??\Volume{32138f1f-3788-11e6-8250-806e6f6e6963}
Drive Signature = 3a db 0d ca
Device: _??_USBSTOR#Disk&Ven_Lexar&Prod_JumpDrive&Rev_1100#AAI6UXDKZDV8E9OU&0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
\DosDevices\E:
\??\Volume{fb7f93ec-37a4-11e6-8254-080027d269d7}
Device: \??\SCSI#CdRom&Ven_VBOX&Prod_CD-ROM#4&8f5d389&0&010000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
\??\Volume{32138f23-3788-11e6-8250-806e6f6e6963}
\DosDevices\D:
Device: _??_USBSTOR#Disk&Ven_Imation&Prod_Nano_Pro&Rev_PMAP#07B20C03C80830A9&0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
\??\Volume{fb7f938e-37a4-11e6-8254-080027d269d7}
mountdev2 v.20140721
(System) Return contents of System hive MountedDevices key
MountedDevices
LastWrite time = Tue Jun 21 02:01:59 2016Z
Volume Disk Sig Offset
\??\Volume{32138f1e-3788-11e6-8250-806e6f6e6963} 3a db 0d ca 0
\??\Volume{32138f1f-3788-11e6-8250-806e6f6e6963} 3a db 0d ca 0
\DosDevices\C: 3a db 0d ca 0
\??\Volume{32138f1e-3788-11e6-8250-806e6f6e6963}
Tue Jun 21 08:14:37 2016
\??\Volume{32138f1f-3788-11e6-8250-806e6f6e6963}
Tue Jun 21 08:14:37 2016
Device: \??\SCSI#CdRom&Ven_VBOX&Prod_CD-ROM#4&8f5d389&0&010000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
\??\Volume{32138f23-3788-11e6-8250-806e6f6e6963}
\DosDevices\D:
Device: _??_USBSTOR#Disk&Ven_Imation&Prod_Nano_Pro&Rev_PMAP#07B20C03C80830A9&0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
\??\Volume{fb7f938e-37a4-11e6-8254-080027d269d7}
Device: _??_USBSTOR#Disk&Ven_Lexar&Prod_JumpDrive&Rev_1100#AAI6UXDKZDV8E9OU&0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
\DosDevices\E:
\??\Volume{fb7f93ec-37a4-11e6-8254-080027d269d7}
Now, I want you to go back and check the Volume GUIDs that are written in bold. So, it seems that the device that was used had the Volume GUID fb7f93ec-37a4-11e6-8254-080027d269d7. By inspecting this volume GUID, it seems that it was used with both USB drives, and it was mounted using the drive letter "E:." Also, it seems that the "Lexar JumpDrive USB Device" was the last to be used on this system. We have two proofs to this fact. The first is the entry in the registry that still shows it was attached to it. The second is that if you go back to the last time it was used, you will find that it was used at "Tue Jun 21 02:02:00 2016" while the other USB was last used at "Tue Jun 21 01:53:15 2016". It seems that our fellow was using more than one USBs because the time between each usage is less than 7 minutes.
Now that we have found what USB devices were connected to this computer, we now need to check which user was using them. Since in our case we only have one user, we will just go through the single NTUSER.DAT file. Again, start RegRipper but this time make sure to load the "NTUSER.DAT" registry file, save your report to something like "NTUSER-RegReport.txt," select the "ntuser" profile and then click on the "Rip It" button.
As a basic reminder, the mounted device details can be found in the registry path below:
NTUSER.DAT\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2
Now, based on the GUID we found in the previous task, which was "fb7f93ec-37a4-11e6-8254-080027d269d7." Let's see if we can locate an entry for this volume under this user's registry keys. Search for the keyword "MountPoints2" in the file NTUSER-RegReport.txt using Notepad++. I assume you found the following results.
MountPoints2
Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2
LastWrite Time Tue Jun 21 02:02:04 2016 (UTC)
Remote Drives:
Volumes:
Tue Jun 21 08:38:46 2016 (UTC)
{32138f1f-3788-11e6-8250-806e6f6e6963}
Tue Jun 21 02:02:04 2016 (UTC)
{fb7f93ec-37a4-11e6-8254-080027d269d7}
Tue Jun 21 01:59:52 2016 (UTC)
{fb7f938e-37a4-11e6-8254-080027d269d7}
Tue Jun 21 01:59:48 2016 (UTC)
{32138f23-3788-11e6-8250-806e6f6e6963}
I highlighted the ones we are interested in bold.
If we now pull all the details together, we can conclude that:
The USB device named "Imation Nano Pro USB Device" was:
First installed at: Tue Jun 21 01:53:14 2016 <- found from task #1
Used by the user at: Tue Jun 21 01:59:52 2016 (UTC) <- found from user MountPoints2
While the USB device named "Lexar JumpDrive USB Device" was:
First installed at: Tue Jun 21 02:01:59 2016 <- found from task #1
And with this, we can conclude that this user truly mounted/used both USBs.