File000152

Module XXXIX – USB Forensics

EC-CouncilCopyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited

News: Taiwan on High Alert After Military Leak

Source: http://www.iol.co.za/



News: Boeing Worker’s Data Case Goes to Jury

Source: http://seattletimes.nwsource.com/



Module Objective

• Universal Serial Bus (USB)• USB Flash Drive• Misuse of USB• USB Forensic• USB Forensic Investigation• Forensic Tools

This module will familiarize you with:



Module Flow

Universal Serial Bus (USB) USB Forensic

USB Flash Drive

Misuse of USB

USB Forensic Investigation

Forensic Tools



Universal Serial Bus (USB)

USB is the serial bus standard to interface devices to a host computer

It allows many peripherals to be connected to a host computer using a single standardized interface socket

It is generally used to connect computer peripherals such as mouse, keyboards, PDAs, gamepads and joysticks, scanners, digital cameras, printers, personal media players, and flash drives



USB Flash Drive

USB flash drive is the portable and rewritable data storage device integrated with a USB interface

It is supported by modern operating systems such as Windows, Mac OS X, Linux, and other Unix-like systems

The speed of USB 2.0 is to read up to 30 MB/s and write at about 15 MB/s

• Male type-A USB connector• USB mass storage controller — implements the USB host controller• NAND flash memory chip• Crystal oscillator — produces the device's main 12 MHz clock signal and

controls the device's data output through a phase-locked loop

There are four parts of a flash drive:



Screenshot: USB Flash Drive



Misuse of USB

• It is a crime in which critical information of the company may be leaked using USB flash drive

Data Theft:

• USB devices can be used to propagate and install malicious program such virus, Trojan, spyware, and rootkits which can damage information and other computer resources

Installing malicious program:



USB Forensics

• Find the date and time of the data theft • Know the person who has installed the malicious program • Collect the data stored in USB• Collect the information about the data leaked from the

computer • Trace the criminals who has done the crime using USB

flash drive

It helps the forensic investigators to:

USB forensics is the technique of recovering and analyzing digital evidence from a USB flash drive and affected computer in a forensically sound manner



USB Forensic Investigation

Secure and evaluate the scene

Document the scene

Image the computer and USB device

Acquire the data

Examine the computer Analyze the USB

Generate reports



Secure and Evaluate the Scene

Ensure that only the authorized person handles the scene

Handle USB evidence properly to maintain physical evidence such as fingerprints

Interview the owner of the USB, ask for any security code or password to gain access to the contents in USB

Do not allow the suspects to handle the USB and the computer

Search surrounding area and rooms, other than where a device is found



Document the Scene and Devices

Document the state of each device and computer that is synchronized with it

Record the location and condition of USB, computers, storage media, and other digital devices

Refer the non-electronics evidence such as invoices, manuals, and packaging material which may provide the information about USB capabilities and unlocking code

Document the date and time of the evidence collected

Photograph the crime scene including USB, cables, cradles, power connectors, and computer

Avoid touching the USB while photographing

Maintain a chain of custody



Image the Computer and USB Device

Prepare the bit-by-bit copy of memory, configuration of the affected computer using the tool like Safe Back

Create the image of USB flash drive using the USB Image Tool 1.31

Use the hashing techniques such as MD5 to check the integrity of the imaged data



Acquire the Data

Collect all the data from the USB image and computer devices

• Bad data Pro• Data Doctor Recovery

You can use these recovery tools to recover the deleted files:



Check Open USB Ports

Option 1: Go to Device Manager

Open Port

Closed Port

In Registry Editor, locate and then click the following registry key:

• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UsbStor

In the details pane, double-click Start

In the Value data box, 3 denotes enabled USB and other values indicates disabled USB

Option 2:



Examine Registry of Computer: USBTOR

Footprints or artifacts are created in registry when a USB device is connected to the Windows system

Plug and Play (PnP) Manager queries the device descriptor in the firmware for information about the device

After the identification, registry key will be created beneath the following key:

•HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\USBSTOR

Sub key beneath this key look like:

•Disk&Ven_###&Prod_###&Rev_###



Examine Registry of Computer: DeviceClasses

Navigate to the following key:

•HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceClasses

The value iSerialNumber is a unique instance identifier for the device

It is similar to the MAC address of a network interface card

ParentIdPrefix value can be used to correlate additional information from within the Registry

ParentIdPrefix determines the time when the USB device was last connected to the Windows system



Examine Registry of Computer: MountedDevice

Path to the MountedDevice is:

•HKEY_LOCAL_MACHINE\System\MountedDevice

MountedDevices key stores information about the various devices and volumes mounted to the NTFS file system

Use the ParentIdPrefix value found within the unique instance ID key to map the entry from USBSTOR to the MountedDevices



Generate Reports

Note the name of the investigator

List of evidence gathered

Documents of the evidence and other supporting items

List of tools used for investigation

Devices and set up used in the examination

Brief description of the examination steps

Details about the finding:

• Information about the USB data • Computer related evidence• Data and image analysis

Conclusion of the investigation



USB Forensic Tools: Bad Copy Prohttp://www.jufsoft.com/

Bad Copy Pro recovers the deleted files, formatted drive, or data loss due to damage, media error, and bad sectors of the USB flash drive

It is a safe data recovery software that performs read-only operations on the USB flash drive and saves the recovered files



Data Doctor Recoveryhttp://www.datadoctor.in/

Data Doctor Recovery supports major USB device manufacturer’s Super flash, Kingston, Samsung, Transcend, Sony, and other latest series

The software is easy and simple to use providing user friendly interface

Features:

• Recovers lost files including jpg, jpeg, gif, bmp, mpeg, and other stored records

• Supports USB drive including pen drives, Zip drive, SD card, PC card, Flash memory etc.

• Scans and transports data to the safe location according to the preloaded file structure

• Recovers damaged data from any software Virus attack



Data Doctor Recovery: Screenshot



USB Image Toolhttp://www.alexpage.de/

USB Image Tool is the freeware which can create images of USB memory sticks

• Creates image files of USB drives• Restores images of USB drives• Compressed image file format• Shows USB device information• Manages favorite USB images

Feature of USB Image Tool:



USB Image Tool: Screenshot



USBDeviewhttp://www.nirsoft.net/

USBDeview is a small utility that lists all USB devices that are currently connected to your PC or have been connected to it in the past

Along with the device’s name and description, it displays the serial number, date the device was added and last connected, VendorID, and other information

It can also be used to gather USB devices from a remote computer via command line



USBDeview: Screenshot



Summary

USB is the serial bus standard to interface devices to a host computer

USB flash drive is the portable and rewritable data storage device integrated with a USB interface

USB forensics is the technique of recovering and analyzing digital evidence from a USB flash drive and affected computer under forensically sound conditions

Footprints or artifacts are created in registry when a USB device is connected to the Windows system

USB CopyNotify is a software utility that notifies when a USB Stick is being used on any of the PCs on the network





Technology

File000152