Blog: SANS Digital Forensics and Incident Response Blog

Blog: SANS Digital Forensics and Incident Response Blog

USB Key Analysis vs. USB Drive Enclosure Analysis

Computer Forensic Guide To Profiling USB Drive Enclosures on Win7, Vista, and XP


There has been much talk about USB Device Forensic Analysis. Many assume that analyzing a USB Key will be the same as analyzing a USB Drive Enclosure (e.g. USB Key Analysis = USB Drive Enclosure analysis). This is inaccurate.

USB Drive Enclosure


External

USB Key/Thumbdrive


ThumbDrive

The fundamentals of examining a USB Key and a USB Drive Enclosure are similar, but have some unique properties that require a different set of guidelines to account for the differences. I have created a new guide that you can download at the bottom of this post that will step you through how to forensicate USB Drive Enclosures for XP, VISTA, and Win7.

The fundamentals of the USB examinations are the same with a couple of key exceptions.

1. There will not be a ParentIDPrefix created for these devices.


2. You cannot figure out the device GUID by searching for the Serial Number in the SYSTEM\MountedDevices Key.

MBR Disk Signatures


The information that is needed is the MBR DiskSignature that is located in the MBR, it is a 4-byte value. I have not had the chance to test this with a GPT table, but according to the fifth edition of Windows Internals, it is supposed to use the GUID instead of the Disk itself.

How does this work? First, written in the MBR at decimal offset 440 will be the MBR Disk Signature. These signatures are kept in HKEY_LOCAL_MACHINE\SYSTEM\MountedDevices for connecting disk partitions and drive letters. This 4-byte value is written to the disk. If the disk does not have a MBR Disk Signature, windows will create one for it.

Example 1:


Here is the first example:

MBR Disk Signature Found At Decimal Offset 440


MBR Disk Identity Found At Decimal Offset 440

Finding the Registry Key HKEY_LOCAL_MACHINE\SYSTEM\MountedDevices we will locate the signature in one of the drive letters and GUID found there:

HKEY_LOCAL_MACHINE\SYSTEM\MountedDevices


SystemConfiguration

Once we have located the key, we can find the MBR Disk Signaturein the MountedDevices Key:

MBR Disk Signature Found in Registry


MBR Disk Identity Found in Registry

You can see the value is 5e 82 A0 EC. However, you might be wondering what the 8 bytes of information that immediately follows it. Those bytes (00 00 10 00 00 00 00 00) is the byte offset of the location of the beginning of the partition. If you convert to little endian and covert to decimal the value stored in those 8 bytes = 1048576 bytes. If you divide by the sector size (512 bytes), the value would be sector address 2048. If you look in the MBR above, you can see that the first partition begins at sector address (00 08 00 00 = sector 2048). The last 8 bytes of the signature stored in the registry key point to the byte offset of the start of the partition itself after you convert the bytes into the sector address.

Why is this? Simple. If you have a drive enclosure or a disk drive with two or more partitions, the MBR DiskSignature will be the same. Therefore, the last 8 bytes are needed to tell one partition apart from the other at the operating system. In some cases, you will have two partitions that have the exact same MBR Disk Signature, but are two different partitions from the same drive.

Here is another example:

Same MBR Disk Signature: Two Partitions Example


MountedDevices

In the above example, we can see the MBRSignature is a2 ee b2 28. We can see one partition is located at byte offset (00 00 10 00 00 00 00 00 = 1048576) 1048576/512 = Sector 2048. In the second one, we can see the second partition located at byte offset (00 00 50 06 00 00 00 00 = 105906176 bytes) 105906176 bytes/512 bytes = Sector address 206848.

Example 2:


Here is the MBR Disk Identity found at decimal offset 440 in another drive enclosure:

MBR Disk Signature Found At Decimal Offset 440


FTS2

The MBR DiskSignature is 42 AE 74 5C. We can also see that this is an NTFS Partition (0x07) and the begginning of the partition starts at sector address (3f 00 00 00 or Sector 63). If we convert that to a byte offset, we multiple 63*512 bytes = 32256 which would be (00 7e 00 00 00 00 00 00) for the 8 byte partition beginning.

So for the partition located in this disk image we should find a disk signature and partition beginning noted by the following: 42 AE 74 5C 00 7E 00 00 00 00 00 00

We will now look in the HKEY_LOCAL_MACHINE\SYSTEM\MountedDevices and compare the values there:

Reg2

As you can see above, we found it. The key is identifying the MBR DiskSignature and if needed, we can identify the specific partition by looking at the 8 bytes following it.

USB Drive Enclosure Examination Guide


Because of this new information, I have updated the USB Forensic Guide to account for this information and created a new guide that will follow this process in XP, VISTA, and Win7.

The USB Drive Enclosure guide can be found here:

USB Drive Enclosure Guide


USB Drive Enclosure Guide

If you find any errors in the guide, please let me know. rlee@sans.org

Some caveats. 1. If you do not have the disk drive or enclosure when you begin forensication, I am still figuring out a way to map the GUID to the drive without knowing the MBR Disk Signature. If you have any thoughts on how to solve this challenge, please let me know. I am still looking for another way to figure out how to do that without having the drive handy. 2. This guide assumes there is a single partition. If you have more than one patition, you will need to figure out the specific starting sector, convert it to byte offset in 8 byte little endian format to find the specifc device in the MountedDevices key.

Forensicate Away!

This material was created as a part of SEC408: Computer Forensic Essentials. SANS Security 408: Computer Forensic Essentials focuses on the essentials that a forensic investigator must know to investigate core computer crime incidents successfully. You will learn how computer forensic analysts focus on collecting and analyzing data from computer systems to track user-based activity that could be used internally or in civil/criminal litigation.

__________________________________________________________________________

Rob Lee is a Director for MANDIANT, a leading provider of information security consulting services and software to Fortune 500 organizations and the U.S. Government. Rob has over 13 years experience in computer forensics, vulnerability discovery, intrusion detection and incident response. Rob is the lead course author and faculty fellow for the computer forensic courses at the SANS Institute. In his spare time, he is now pondering creating additional guides for eSATA and Firewire Devices.

10 Comments

Posted September 10, 2009 at 2:20 PM | Permalink | Reply

Sandro Sffert

Rob, thanks for the valuable information.

Your updated guides to USB Key Analysis and USB Drive Enclosure Analysis are very clear and useful for any examiner.

Sandro Sffert, ACE, EnCE, HTCIA
Brazilian IR and Computer Forensics Consultant
http://blog.suffert.com / http://www.forensedigital.com.br

Posted September 10, 2009 at 6:13 PM | Permalink | Reply

Jimmy Weg

Good job on the USB drive/thumb postings! The only thing that I would add to this (Drive) topic is that you can have two drives with the same disk sig. I've seen this with a couple of identical models of WDs - might have been Passports.

Posted June 30, 2010 at 11:26 AM | Permalink | Reply

Paul B. Ciaccio

Excellent information and nice to see all artifact locations are comprised into one paper - thanks.

I do agree with Jimmy - disk signatures are only unique when you have two, or more, USB devices attached to a system simultaneously, otherwise the OS can reassign the same disk sig to different USB devices. However, the disk sig is still a good artifact.

Posted December 21, 2010 at 7:24 PM | Permalink | Reply

OMBM

Clear description from a Windows platform, but what about Mac OS X?

Posted January 17, 2011 at 4:44 PM | Permalink | Reply

Jason McCollough

The link for the USB Forensic Guide is not working. Could you please post the correct link.

Thanks,

Jason McCollough

Posted January 19, 2011 at 12:50 PM | Permalink | Reply

Dan B

You state for XP, the Last Time Device connected can only be found using the NTSER//Software/Microsoft/Windows/CurrentVersion/Explorer/MountPoints2/{GUID} -> Perform search for Device GUID.

Is this correct? I understand that, in relation to the GUID subkeys found beneath the MountPoints2 key, the last write time is in fact reflective of the time of its original creation and therefore cannot be used to determine the last time a device was connected, as suggested in your useful guide...

In a circumstance where the USB device of interest is historic and that a subsequent device has been mounted with the same drive letter, I believe that the 2nd timestamp offered by RegRipper beneath the Enum\USBStor subkeys are a better indicator of when a device was last connected, notwithstanding that is in fact accurately related to the first insertion since the last reboot.

Posted January 19, 2011 at 2:00 PM | Permalink | Reply

Rob Lee

mountpoints2 under the user's NTUSER.DAT is one of the easiest to use locations to determine last time of insertion. Sometimes people get this confused with the mounted devices key.

The best I can tell you is to test it as it is accurate. Also are you working with a drive enclosure or a USB key? The guides on this page are for drive enclosures only. Let me know if this has now changed. Thanks for the feedback.

Posted January 25, 2011 at 3:21 PM | Permalink | Reply

Keith Custers

Hi Rob

Very usefull information. THX!

As we often don't have the USB drive in our possesion, I was blocked in your analysis procedure on step 4. So I found out on VISTA and Seven you can find the disk ID under HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\USBSTOR\Disk

Posted February 05, 2013 at 1:48 PM | Permalink | Reply

Joe Rauen

I know this is an old post, but I'm currently working on a case and we have identified a Disk Enclosure, on an XP System, that we are trying to associate a drive letter to it. We currently don't have the disk enclosure drive itself so we can't look at the MBR for the Disk ID. Is this information stored anywhere else on the actual XP System drive? I see someone has found it on a Vista and 7 system. I've also looked at all .lnk files with no success so far.

Thanks in advance!

Posted February 05, 2013 at 2:35 PM | Permalink | Reply

Joe Rauen

I know this is an old post, but I'm currently working on a case and we have identified a Disk Enclosure, on an XP System, that we are trying to associate a drive letter to it. We currently don't have the disk enclosure drive itself so we can't look at the MBR for the Disk ID. Is this information stored anywhere else on the actual XP System drive? I see someone has found it on a Vista and 7 system. I've also looked at all .lnk files with no success so far. Thanks in advance!

Post a Comment






* Indicates a required field.