USB Forensics on Windows Computers

USB device history plays a critical role in the security administration of computer networking. Since USB flash drives are small robust storage devices that fits easily into anyone’s pocket it’s crucial for security administrators to have the ability to view USB device history and also have the ability to block their use.

There are a number of ways to explore USB device history which all revolve around analyzing the Windows registry in some way or another. Some techniques can be done manually while others utilize software designed specifically for this purpose. An examination of USB device history will be performed by using a freeware based USB forensic tool and also manually by using registry key searches. Before beginning this procedure it’s important to answer the following question, “What is the registry?” The Windows registry, in its most basic form, is a database that contains information in regards to system hardware, software, program settings, installed programs, and individual user settings for each user profile that exists on Windows based computer. The Windows registry is dynamic and constantly in flux. The Windows operating system refers to it quite often while programs are up and running. The registry is modified and written to automatically by the software programs themselves while in use. The registry is self-managing because all of the work happens in the background unbeknownst to the user. One could say that’s an added convenience, as technology seemingly doesn’t interfere with the user experience by getting in the way.

The hierarchy tree for the Windows registry is shown below in figure 1. It must be noted that only the last known device can be seen at any one time using this technique.

Registry location:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR

figure 1

figure 1

As seen in figure 2 below, the contents of the highlighted registry key from figure one is displayed. Two critical pieces of information contained within the device details are the “Hardware ID” and “ClassGUID”. The GUID or “Globally Unique Identifier” is used by the registry to assign a specific ID to the USB device by identifying it to the operating system as being exclusive after which it becomes accessible to software programs.

figure 2

figure 2

The second technique used to examine USB device history is software based. Figure 3 is a screenshot of a USB Forensic tool called USBDeview, a freeware program widely available on the Internet.

figure 3

figure 3

USBDeview is a small software utility, which lists all USB devices that are currently and were previously connected to the computer. USBDeview displays an extended range of information as seen in figures three and four.

4

figure 4

figure 4

USB flash drives are small convenient computer accessories that we all carry around in our pockets but it’s the danger of data theft that causes security administrator’s to show concern over the potentially malicious use of these tiny little devices. The security risks posed by these little devices are that they can easily carry huge amounts of sensitive private data taken from private networks. Having access to USB device history helps security administrators mitigate and remediate data loss and theft.

Other security risks posed by using USB flash drives includes snooping, where an unauthorized person could use a program like Windump to listen to conversations between computers while dumping data flow onto a USB stick. The dangers of allowing USB ports to remain activated on network computers must be determined, under heavy scrutinization, by the needs of the business.

Having the ability to administer access to USB ports on private networks is instrumental in helping prevent data loss and theft. It is under the security administrator’s guise that these tools need to be implemented, managed, logged, and monitored. Securing USB drives are difficult in part because they are so small and commonplace that they seem unremarkable. Security administrators cannot afford to turn a blind eye to the dangers lurking behind their potentially sinister use that could wreak havoc upon networks causing huge data losses. For instance, an employee could pick up a USB stick found laying around in the parking lot, which was planted by a hacker, only to plug it into their workstation out of curiosity only to cause a major network breach. A 2011 study showed that over the previous two years 70% of businesses attributed the loss of confidential or sensitive information to the use of USB flash drives. Leaving USB ports open and unrestricted poses a wide range of dangers.

Citations:

Schwartz, M. J. (2011, 8 8). How USB Sticks Cause Data Breach, Malware Woes. Retrieved 8 2015, from Darkreading: http://www.darkreading.com/risk-management/how-usb-sticks-cause-data-breach-malware-woes/d/d-id/1099437?

scuzzy-delta. (2012, 3). How can you see the device history of a computer when doing forensics? Retrieved 8 2015, from Information Security: http://security.stackexchange.com/questions/12741/how-can-you-see-the-device-history-of-a-computer-when-doing-forensics

USB History Viewing. (2012, 1). Retrieved 8 2015, from ForensicWiKi: http://forensicswiki.org/wiki/USB_History_Viewing

USDBeview. (2015). Retrieved 8 2015, from NirSoft: http://www.nirsoft.net/utils/usb_devices_view.html

What is the registry? (2015). Retrieved 8 2015, from Windows Microsoft: http://windows.microsoft.com/en-us/windows-vista/what-is-the-registry

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

w

Connecting to %s