.

USB Device not listed in Registry

<<

Joshsevo

User avatar

Sr. Member
Sr. Member

Posts: 281

Joined: Tue Dec 29, 2009 11:00 pm

Post Tue Jun 14, 2011 12:19 pm

USB Device not listed in Registry

We have a an investigation which the computers registry do not contain a record that does not contain a record of an external USB HDD that we know had been attached?

We can see that other external USB HDD and flash memory keys have been attached but this one is not listed.

Can anyone help?
Security+, Network+, C|EH, CHFI, CPT
<<

cd1zz

User avatar

Recruiters
Recruiters

Posts: 566

Joined: Sun Oct 03, 2010 9:01 pm

Post Tue Jun 14, 2011 12:44 pm

Re: USB Device not listed in Registry

I'm not even sure if you could do this to maintain the forensic integrity, but could you take an image of that box and then attempt a system restore back to when you think it was installed?
<<

Joshsevo

User avatar

Sr. Member
Sr. Member

Posts: 281

Joined: Tue Dec 29, 2009 11:00 pm

Post Tue Jun 14, 2011 1:05 pm

Re: USB Device not listed in Registry

No I don't think so.

The thing is the suspect said she only used a certain device (IOgear) and there is no record of it.  Restoring the HDD I don't think will work.  What I am trying now is to look for any wiping software that would have gone in and wiped that USB off the HDD.  

But in my previous experiences (not many experiences) wiping software can't just wipe a indivdual USB off ut rather a large swath of data.  But with the evoloving technology I suppose everything is possible.
Security+, Network+, C|EH, CHFI, CPT
<<

Cashiuus

Newbie
Newbie

Posts: 5

Joined: Wed Jun 22, 2011 12:56 am

Post Wed Jun 22, 2011 5:11 am

Re: USB Device not listed in Registry

I imagine you've done your searching around, but I did as well and found this article: http://www.anti-forensics.com/delete-us ... etupapilog

Have you checked the "C:\Windows\setupapi.dev.log" file for an entry? I would've certainly thought to remove the registry entry, but not to go into this file and erase mention. Check each fo the [DEVICE INSTALL] sections for the specific device you are seeking.
<<

Joshsevo

User avatar

Sr. Member
Sr. Member

Posts: 281

Joined: Tue Dec 29, 2009 11:00 pm

Post Thu Jul 21, 2011 1:52 pm

Re: USB Device not listed in Registry

Cash,

I have not read that article before.  Thanks, good read.  I worked on this case again and the person did a good job of getting rid of stuff related to this device.

The device is called "Ion 1" whether this be a external drive or thumb drive we don't know yet.  I was using Encase last night and I found 24 references in unallocated space related to this Ion nd you can see the files that were accessed.  Like Ion 1 F: users/verizon/contracts or F: users/..../Powerpoints.

So she was clearly moving files to it.
Security+, Network+, C|EH, CHFI, CPT
<<

Joshsevo

User avatar

Sr. Member
Sr. Member

Posts: 281

Joined: Tue Dec 29, 2009 11:00 pm

Post Wed Jul 27, 2011 5:14 pm

Re: USB Device not listed in Registry

So more details now.

There is an eSATA port right next to the USB and at first we were uner the impression that it was broken.

Found it. It was listed under EMDMgmt in the SOFTWARE Hive. Great call. Its not ID'd as a USB device. And there is a second listing for another ION drive in there with a different Last Written date. There is a Seagate FreeAgent drive in there also, also not ID'd as USB - and I know the ones I own are USB/eSata combos.
Security+, Network+, C|EH, CHFI, CPT

Return to Forensics

Who is online

Users browsing this forum: No registered users and 0 guests

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software