Man do I love technology sometimes. What is great about U3 smart technology is that as long as autorun is enabled for the cd you can potentially tell when one of these USB devices has been plugged in. By looking in the windows prefetch directory all you have to look for are these files, Launchu3.exe, Launchpad.exe and cleanup.exe. The 2 launch programs are run when ever the USB drive is plugged in (assuming autorun is enabled). The cleanup program is run whenever the USB drive is ejected using the launchpad.
Now if you are lucky you may see multiple entries for these files in the prefetch or you can see different create and modified dates for them as well. Now you may also notice that these files may have multiple different dates and times. Here is an example from the prefetch directory of the multiple dates and times.
Filename Created Modified Accessed
LAUNCHU3.EXE-XXXXXXXX.pf 2/5/2007 13:56 2/13/2007 5:52 2/13/2007 5:52
LAUNCHPAD.EXE-XXXXXXXX.pf 2/5/2007 13:57 2/13/2007 5:52 2/13/2007 5:52
CLEANUP.EXE-XXXXXXXX.pf 2/12/2007 21:54 2/13/2007 7:01 2/13/2007 7:01
Looking at these entries in the prefetch it tells me that the USB drive was attached on February 5, 2007 and also February 13, 2007. The drive was then removed on February 12 2007 and February 13, 2007. Pretty cool that I can tie the USB device to being used on 3 separate occasions. Also by looking in the setupapi.log file ypu can see when the drive was first attached which potentially adds a 4th time the drive was attached. Now you see why I love technology sometimes.
Thoughts/Comments/Questions?
Now if you are lucky you may see multiple entries for these files in the prefetch or you can see different create and modified dates for them as well. Now you may also notice that these files may have multiple different dates and times. Here is an example from the prefetch directory of the multiple dates and times.
Filename Created Modified Accessed
LAUNCHU3.EXE-XXXXXXXX.pf 2/5/2007 13:56 2/13/2007 5:52 2/13/2007 5:52
LAUNCHPAD.EXE-XXXXXXXX.pf 2/5/2007 13:57 2/13/2007 5:52 2/13/2007 5:52
CLEANUP.EXE-XXXXXXXX.pf 2/12/2007 21:54 2/13/2007 7:01 2/13/2007 7:01
Looking at these entries in the prefetch it tells me that the USB drive was attached on February 5, 2007 and also February 13, 2007. The drive was then removed on February 12 2007 and February 13, 2007. Pretty cool that I can tie the USB device to being used on 3 separate occasions. Also by looking in the setupapi.log file ypu can see when the drive was first attached which potentially adds a 4th time the drive was attached. Now you see why I love technology sometimes.
Thoughts/Comments/Questions?
5 comments:
Good Material, Get Some Techno Stuffs Here too
Yes, the prefetch is great. Did you know it only keeps and most recent 124 launched programs? Don’t forget that you can also tell when the program was last launched and how many times it has been used/launched in the UserAssist key in the registry. You can check it out by executing the “regedit” command from the command prompt or the “Start” “Run” location on your start bar. Once in the registry, go to the Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{GUID}\Count
Key . What you see there is a bunch of garbage, but that is because Microsoft likes to be funny and they encoded everything with ROT 13. Remember how Cesar communicated with his generals, by writing them letters and rotating 3 characters in the alphabet, then the generals would rotate back three characters and they would decode Cesar’s message. We Microsoft, AKA: Cesar, rotates 13 characters in the alphabet. With 26 letters inour alphabet, that makes it easy for us simple people to simply rotate again 13 more charcters and we are back to where we started. On my computer I see a value under the UserAssist key that reads;
HRZR_EHACVQY:%pfvqy23%\Zvpebfbsg Bssvpr\Zvpebfbsg Bssvpr Jbeq 2007.yax
By rotating 13 more characters I can see that that is;
UEME_RUNPIDL:%csidl23%\\Microsoft Office\\Microsoft Office Word 2007.lnk
If I look at the DATA value, mine looks like this: 23 00 00 00 27 00 00 00… anyway, if you move to the 5th grouping from the left, that number (minus 5) is the total number of times that application has been run on this computer system. So in my case, the Microsoft Office Word 2007 has been run 22 times (27-5=22). Please don’t ask me to explain why Microsoft starts counting at 5. The way I remember it is GATES has 5 letters and everything starts AFTER GATES.
Now what is even cooler when looking to attribute a specific USB drive to being inserted into the computer is the USBStor key in the registry.
Go to the HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\USBSTOR key. Under this key, you will see several entries, an entry for each USB device you have inserted into this computer! Each key will be, for the most part, descriptive of the device you stuck into the machine, but, when you expand that key, the next thing you will see is what appears to be a serial number. If the second character in the number is NOT a “&”, then guess, what….it is a unique serial number to that specific USB drive/device. On my computer, one of the key names is “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR\Disk&Ven_WD&Prod_1600BEVExternal&Rev_1.02”. this is my Western Digital 160 gig External Hard Drive. If the second character isa “&”, then Windows plug and play manager assigned a unique id for that device so it can keep track of i. Remember, the Windows assigned unique identifier will not be the same from computer to computer, but the serial number (if it has one) will be unique to the USB drive, thereby making it possible to identify the exact USB device that may have violated your computer.
Now, please dont think I am the king of the registry, that guy is Harlan Carvey. He just wrote an awesome book called Windows Forensic Analysis. We interviewed him on Cyberspeak and it should be coming out in our next show.
Swing by the podcast at http://cyberspeak.libsyn.com or drop me a line at cyberspeak@gmail.com
Love your blog
Ovie
All excellent comments ovie. That is why I blogged earlier about using the tiny wiki for notes and such so you do not forget to look at some of the things that you mentioned. It is easy to forget some of these things especially during busy times when you are doing 4 things at once.
what program is used to view the contents of one of the .pf files?
Or do I have to parse it myself?
Thanks,
-SS
Kill,
You can write a program to parse it or you can use a hex editor to view it.
Mark
Post a Comment