Catching USB Data Thieves

Last night, I wanted to grill up some beer can chicken. If you have not had any, it ranks right up there with going to watch Time Trials at Indy as a must do. My wife loaned out my stand to some goober neighbor and she was out shopping or something another with my daughter so I couldn't ask her where it was. She told me, but I was in CodeMode(tm) and taking in that information would have caused a buffer overflow. I went into mooch neighbor forensic mode. This is the interactive portion of the blog: download Man on Mission by Van Halen; press play now. I looked around the hood at various grills and found it; on a gas grill no less. Can't use it now after LP gas contaminated it, but I have N+1 redundancy and just used my other rack. Grill on! A little while back, I wrote a blog about using a U3 USB key as a excellent information gathering tool. It is silent and as deadly as bus load of Navy SEALs. If someone has used this device on our machines, the only way to know is with time consuming forensics software right? Not really. We can actually grab a ton of info with no additional software. Now, look here folks, if you are doing this for your own info then party on Wayne. However, if you are gathering information for any type of judicial proceeding, make sure you "legally" can. Many states have strict laws about the gathering of digital evidence and require that the person gathering data is at least a Private Investigator trained in evidence handling. This will certainly make a great certification blog later on... Jimmy Ray Purser, Digital P.I. coming up next after a special Hole In The Wall on Fox. In basic digital forensics we are looking for MACtimes, and no that is not a Apple publication. (although think of what the comic section would look like...) It stands for: mtime: file modification time atime: file access time ctime: file meta-info change time In all fairness to Windows machines; they have four times; ChangeTime, CreationTime, LastAccessTime and LastWriteTime. Any...way... Windows does us forensic types a solid with USB PnP Manager. When you plug in a USB device, in order to find a driver to make this device work auto-magically the PnP manager polls the devices firmware and records the manufacturer in the registry. Kinda like a thermos keeping hot stuff hot and cold stuff cold. How does it know? PnP Manager will record this information in the setupapi.log. If we search in the default install directory for XP at: c:\windows\setupapi.log and correlate with the data we find in the registry at HKLM\SYSTEM\CCS\Enum\USBSTOR also double check ControlControlSets01,02,03,etc. We can find the MACtimes of USB devices plugged into this machine. Windows 2K machines will also log USB access in the system log under event ID's: 134,135 and 160. There is always other little chunks of MACtime data in dllcache and various prefetch folders, etc.. but at that point you are most likely looking at using a software package BUT that requires disk duplication with something like EnCase or FTK to dig in deeper. USB backtracing is a great place to get introduced to the fine art of digital forensics and very practical for us to use right now. I always keep a laptop build with various hacking ISO's and one dedicated machine strictly to forensics. I would like to tell you more about it, but my wife loaned it to someone.... Jimmy Ray

Copyright © 2008 IDG Communications, Inc.

The 10 most powerful companies in enterprise networking 2022