The Ethical Hacker Network - USB Device not listed in Registry

Latest Additions

Who's Online

EH-Net News Feeds

Latest Additions

EH-Net > Ethical Hacking Discussions and Related Certifications > Forensics (Moderator: don) > USB Device not listed in Registry

Pages: [1] Go Down

« previous next »

	Author	Topic: USB Device not listed in Registry (Read 9186 times)
0 Members and 1 Guest are viewing this topic.

Joshsevo

Sr. Member

Offline

Posts: 263

USB Device not listed in Registry

« on: June 14, 2011, 12:19:26 PM »

We have a an investigation which the computers registry do not contain a record that does not contain a record of an external USB HDD that we know had been attached?

We can see that other external USB HDD and flash memory keys have been attached but this one is not listed.

Can anyone help?


	Logged

CHFI, C|EH, Security+, CPT

cd1zz

Sr. Member

Offline

Posts: 393

Re: USB Device not listed in Registry

« Reply #1 on: June 14, 2011, 12:44:39 PM »

I'm not even sure if you could do this to maintain the forensic integrity, but could you take an image of that box and then attempt a system restore back to when you think it was installed?


	Logged

OSCE | OSCP | OWSP | CISSP
http://www.pwnag3.com
http://www.networkadminsecrets.com

Joshsevo

Sr. Member

Offline

Posts: 263

Re: USB Device not listed in Registry

« Reply #2 on: June 14, 2011, 01:05:49 PM »

No I don't think so.

The thing is the suspect said she only used a certain device (IOgear) and there is no record of it. Restoring the HDD I don't think will work. What I am trying now is to look for any wiping software that would have gone in and wiped that USB off the HDD.

But in my previous experiences (not many experiences) wiping software can't just wipe a indivdual USB off ut rather a large swath of data. But with the evoloving technology I suppose everything is possible.


	Logged

CHFI, C|EH, Security+, CPT

Cashiuus

Newbie

Offline

Posts: 4

Re: USB Device not listed in Registry

« Reply #3 on: June 22, 2011, 05:11:58 AM »

I imagine you've done your searching around, but I did as well and found this article: http://www.anti-forensics.com/delete-usb-device-history-from-the-windows-registry-usbstor-key-and-the-setupapilog

Have you checked the "C:\Windows\setupapi.dev.log" file for an entry? I would've certainly thought to remove the registry entry, but not to go into this file and erase mention. Check each fo the [DEVICE INSTALL] sections for the specific device you are seeking.


	Logged

Joshsevo

Sr. Member

Offline

Posts: 263

Re: USB Device not listed in Registry

« Reply #4 on: July 21, 2011, 01:52:40 PM »

Cash,

I have not read that article before. Thanks, good read. I worked on this case again and the person did a good job of getting rid of stuff related to this device.

The device is called "Ion 1" whether this be a external drive or thumb drive we don't know yet. I was using Encase last night and I found 24 references in unallocated space related to this Ion nd you can see the files that were accessed. Like Ion 1 F: users/verizon/contracts or F: users/..../Powerpoints.

So she was clearly moving files to it.


	Logged

CHFI, C|EH, Security+, CPT

Joshsevo

Sr. Member

Offline

Posts: 263

Re: USB Device not listed in Registry

« Reply #5 on: July 27, 2011, 05:14:14 PM »

So more details now.

There is an eSATA port right next to the USB and at first we were uner the impression that it was broken.

Found it. It was listed under EMDMgmt in the SOFTWARE Hive. Great call. Its not ID'd as a USB device. And there is a second listing for another ION drive in there with a different Last Written date. There is a Seagate FreeAgent drive in there also, also not ID'd as USB - and I know the ones I own are USB/eSata combos.


	Logged

CHFI, C|EH, Security+, CPT

Pages: [1] Go Up

« previous next »

Jump to:

SANS Deals 4 EH-Netters

$150 OFF Any SANS Course in Any Format!
Coupon Code: EHN_Connect Including SANS Security West 2012 & SANSFIRE 2012

Recent Forum Topics