The Cyber Rabbit Hole: Almost Always Maybe

The questions almost every digital forensic analyst is asked usually begin with, “Can you find __________?”. And the answer is almost always maybe, or, it depends.

I am also often asked, “Can you find out if documents or data were transferred from a computer to a USB, or external storage device?” Without examining the actual USB device, again, the answer is maybe. When you save and store documents / data on your computer, you leave artifacts on a certain time and day. This gets recorded in the registry. In addition, when you plug in a USB or other storage device, you create new artifacts within the registry. When a user installs a USB device, the operating system looks for the Vendor ID and Product ID in the file usbstor.inf and loads the driver, creating artifacts.

USB device analysis varies depending on type of device and the operating system it is interacting with. Examiners collect USB information from various locations in order to analyze USB activity on a computer, and ultimately tying use of a device to a specific user account. The locations are as follows:

• USBSTOR: contains vendor ID, serial number of the device
• MountedDevices: (“Friendly names”) shows latest device assigned to a given drive letter
• MountPoints2: contains information as to which user was logged in when the USB device was connected, lists GUIDs for all devices
• USB key from SYSTEM hive: contains vendor ID and product ID information of a device, last time it was connected
• Setupapi logs: records and provides permanent (unless deleted) device/driver installations and identifies the first time any USB device is attached to a Windows system. Timestamps are recorded in Local Machine Time

Match the ContainerID for any volume to a MountPoint stored in the NTUSER.DAT file for a specific user account to tie a device to a user. The analysis of data stored in these locations, as well as other Windows Artifacts (e.g. Windows Shortcuts, ThumbCache, and many others) will help an investigator create a timeline of events that could possibly point to if / when a document could have been transferred to the USB. If data was created, downloaded, or saved and then deleted on the same day / time a USB was connected and disconnected, one could propose the data is on that USB.

The Compass IT Compliance Digital Forensics Team assists organizations by:

• Analyzing security incident data to understand the extent of the incident, timing of the incident, who was involved with the incident, and what data may have been exposed in the incident
• Recommending proper steps for the restoration of systems back to normal operation
• Suggesting protection methods for the future to mitigate the risk of future incidents

Compass has a team of dedicated forensic analysts that are experienced in the collection, preservation, and analysis of digital evidence related to security incidents. This process requires a unique set of skills that not only helps you understand all aspects of the incident but that also follows law enforcement guidelines around proper evidence handling and chain of custody protocols. To discuss your specific digital forensics situation and needs in greater detail, please contact us!