Can you tell if a USB storage drive was plugged into a specific computer?
Data exfiltration –and introduction– through USB storage devices can be a plausible concern in an overabundance of situations. Whether an employee is leaving your company, new malware found its way onto your system, or you just want to see if any USB drives have been plugged in, Windows offers a collection of useful USB system artifacts!
The shorthand answer:
Yes! Windows Vista and onward contain numerous system files that track every USB storage device that is inserted into the machine. An investigator is often able to uncover retained data such as:
- Vendor, product, and revision of the storage drive
- The serial number of the storage drive
- The date the storage drive was first and last inserted
- The date the storage drive was last removed
- Whether the drive was successfully mounted or not
- The volume letter of the drive and which user mounted it
How will we do this?
A large majority of the common-user community is unaware that any information is kept about USB storage drives, suggesting they may not be as hesitant on plugging them in. Utilizing the registry artifacts “USBSTOR“, “MountedDevices“, and”MountPoints2″, we will have significant chances of revealing if a USB storage drive was plugged into the Windows machine. I will be using Eric Zimmerman’s Registry Explorer for this overview, however any other registry tool will allow you to find the same data. If the Windows Registry is not an option for you, USB related information will also be found within Setupapi, Windows event logs, LNK files, Jumplist files, shellbags, and prefetch.
Our focus on the USBSTOR data will shift depending on the details of the investigation. If you are interested in just knowing if a particular USB drive was inserted into the machine, then you may primarily focus on the drive name and serial number/unique identifier. However, if you want to investigate any theft of IP, then you may want to look at the name of the drive, serial number/unique identifier, last arrival date, and the last removal date.
All USB storage drives that are plugged into the computer are logged within this registry artifact in the form “Type&Ven_xxxx&Prod_xxxx&Rev_xxxx”, representing the type of drive, vendor of the drive, product, and revision number. After extracting the SYSTEM registry hive (this can be done with FTK Imager), the USBSTOR container can be found by going to the path “Root/ControlSet001/Enum/USBSTOR/”. If a drive is present in this registry artifact, then it has been inserted by a user account on the system. It -is- possible to delete USBSTOR information using programs such as CCleaner, so it’s also beneficial to look for the presence of any such programs on the system. Using Zimmerman’s tool, each USB device will be represented as its own directory, with nested directories that represent new data about the drive. For instance, figure 1 shows there is a nested folder within the USB device directory that we are focusing on. The highlighted name of this directory is the serial number of the USB drive. However, if the second character in the string is an “&”, then the drive had no serial number and therefore the system created a unique identifier in its place. As you can see, the “&” is present as the second character, so this is a system-created unique identifier for the drive.
Figure 1: The unique identifier of our USB Drive is highlighted
When clicking on this directory, you will be presented with more valuable information in the active pane of the tool (see figure 2). Traveling further into the nested directories will reveal:
- The Disk ID (found in the Partmgr folder)
- Drive data (found in dir 02)
- Date of drive first install (found in dir 64)
- Date of install (found in dir 65)
- Date of last arrival (found in dir 66; see figure 3)
- Date of last removal (found in dir 67)
*It is a good idea to make a note of the Disk ID of the USB drive of interest, as it will be used in linking other data sets together
Figure 2: More friendly info about the drive
Figure 3: The last time this device was removed from the system
Here you will find a list of all volumes that have been mounted to that machine along with their Disk ID. Data like this is useful in confirming that a USB storage drive was inserted into the machine and successfully mounted. As you can see in figure 4, the Disk ID found in USBSTOR’s Partmgr is displayed in this artifact, along with the same drive name information in the hex interpreter.. Right below it, we see the volume letter “E” which contains the same drive information in its hex interpreter. This drive was therefore inserted into the system and took ownership of the drive letter “E”. However, we are still unaware of which user account on the system mounted this drive. We can do so by looking at MountPoints2 within NTUSER.dat.
Figure 4: Disk ID value ties the drive to the volume letter “E”.
All volumes that have been mounted by the particular user can be found within this directory, listed by the Disk ID of the device that owns the volume letter. Up to this point all previous USB drive information has been found in non-user-specific areas. This means that any user account on the system could have inserted the USB drive. Since MountPoints2 is found within the NTUSER.dat file, we are able to link all items found to the particular user account we are investigating. By utilizing the same Disk ID we found in USBSTOR, we can find the directory associated with the mounted volume of this USB device (see figure 5).
Figure 5: The presence of this Disk ID means the USB device was mounted by this user
USB drives can be very beneficial for everyday tasks, but can be used maliciously in many ways. By properly traversing the registry artifacts, an investigator is able to determine the presence and potential actions of USB drives on the system.