The Ethical Hacker Network - USB Device not listed in Registry

EH-Net > Ethical Hacking Discussions and Related Certifications > Forensics (Moderator: don) > USB Device not listed in Registry

Pages: [1] Go Down

« previous next »

	Author	Topic: USB Device not listed in Registry (Read 14292 times)
0 Members and 1 Guest are viewing this topic.

Joshsevo

Sr. Member

Offline

Posts: 278

USB Device not listed in Registry

« on: June 14, 2011, 12:19:26 PM »

We have a an investigation which the computers registry do not contain a record that does not contain a record of an external USB HDD that we know had been attached?

We can see that other external USB HDD and flash memory keys have been attached but this one is not listed.

Can anyone help?


	Logged

Security+, Network+, C|EH, CHFI, CPT

cd1zz

Hero Member

Offline

Posts: 561

Re: USB Device not listed in Registry

« Reply #1 on: June 14, 2011, 12:44:39 PM »

I'm not even sure if you could do this to maintain the forensic integrity, but could you take an image of that box and then attempt a system restore back to when you think it was installed?


	Logged

OSCE | OSCP | GXPN | OSWP | CISSP
http://www.pwnag3.com
http://www.networkadminsecrets.com

Joshsevo

Sr. Member

Offline

Posts: 278

Re: USB Device not listed in Registry

« Reply #2 on: June 14, 2011, 01:05:49 PM »

No I don't think so.

The thing is the suspect said she only used a certain device (IOgear) and there is no record of it. Restoring the HDD I don't think will work. What I am trying now is to look for any wiping software that would have gone in and wiped that USB off the HDD.

But in my previous experiences (not many experiences) wiping software can't just wipe a indivdual USB off ut rather a large swath of data. But with the evoloving technology I suppose everything is possible.


	Logged

Security+, Network+, C|EH, CHFI, CPT

Cashiuus

Newbie

Offline

Posts: 5

Re: USB Device not listed in Registry

« Reply #3 on: June 22, 2011, 05:11:58 AM »

I imagine you've done your searching around, but I did as well and found this article: http://www.anti-forensics.com/delete-usb-device-history-from-the-windows-registry-usbstor-key-and-the-setupapilog

Have you checked the "C:\Windows\setupapi.dev.log" file for an entry? I would've certainly thought to remove the registry entry, but not to go into this file and erase mention. Check each fo the [DEVICE INSTALL] sections for the specific device you are seeking.


	Logged

Joshsevo

Sr. Member

Offline

Posts: 278

Re: USB Device not listed in Registry

« Reply #4 on: July 21, 2011, 01:52:40 PM »

Cash,

I have not read that article before. Thanks, good read. I worked on this case again and the person did a good job of getting rid of stuff related to this device.

The device is called "Ion 1" whether this be a external drive or thumb drive we don't know yet. I was using Encase last night and I found 24 references in unallocated space related to this Ion nd you can see the files that were accessed. Like Ion 1 F: users/verizon/contracts or F: users/..../Powerpoints.

So she was clearly moving files to it.


	Logged

Security+, Network+, C|EH, CHFI, CPT

Joshsevo

Sr. Member

Offline

Posts: 278

Re: USB Device not listed in Registry

« Reply #5 on: July 27, 2011, 05:14:14 PM »

So more details now.

There is an eSATA port right next to the USB and at first we were uner the impression that it was broken.

Found it. It was listed under EMDMgmt in the SOFTWARE Hive. Great call. Its not ID'd as a USB device. And there is a second listing for another ION drive in there with a different Last Written date. There is a Seagate FreeAgent drive in there also, also not ID'd as USB - and I know the ones I own are USB/eSata combos.


	Logged

Security+, Network+, C|EH, CHFI, CPT

Pages: [1] Go Up

« previous next »

Jump to: