SANS Digital Forensics and Incident Response Blog

The NOISY U3 Thumb Drive File Access behavior in Windows

So I have a timeline analysis. What file activity should I see when someone inserts a U3 type USB thumb drive in a computer? And why should I care?

I care because files accessed on the hard drive, or the "Recent Documents" history, may tie directly to the actual time the thumb drive was plugged in. It turns out that U3 thumb drives actually run programs and create logs when plugged in. This means you have file creation and/or modification all the time the drive is inserted. Not only that, but cleanup routines run after it is pulled out, whether you exit nicely or just jerk it out.

You may wish to corroborate other evidence you have, from the registry for example, concerning the insertion of a particular drive. Or you may find files or file remnants that will give you more information about the thumb drive that was inserted. To understand what happens on insertion, and to know where to look for files, I have used Filemon1 and recorded the file activity that occurred as the drive was inserted. Due to unrelated file activity going on at the same time you have to filter to find what you need.

For further flexibility for querying, filtering, or otherwise sorting it all out, you can load the Filemon log file into a database, such as MS Access, for further analysis. This gives you very flexible and quick sorting, filtering, viewing, and reporting capabilities. But let's conduct the experiment and see what Filemon looks like first.

When you run Filemon, capturing starts immediately by default. Here is a screen shot taken after I clicked on the magnifying glass, which stopped the capture process on my computer.
filemon
Note that you have data fields that indicate a sequential number, time of access, process that caused the file access, type or "Request" of access, the full path of the file accessed, the result of the access attempt, and information about what part of the file was accessed.

The next step, after stopping the capture, is to clear the screen and get ready to record the results of our test. First, set the filter. I have discovered that all you need to use is "*U3*" for your filter to get relevant activity. So, click on the filter button and key in your filter string as in the example below.

filemonfilter

Then, in this order, click on the capture button to start recording and insert the U3 thumb drive, let Filemon run for a minute until the activity slows down, then remove the drive. In the space between 8:05:24 and 8:06:32 on my computer, I had over 8500 entries in Filemon. Many are the same file(s) being accessed repeatedly, of course. Knowing this behavior will be helpful when examining a computer where the user inserted a U3 thumb drive, especially for your timeline analysis.

Here is a shot of what I came up with. The first entries show what happened immediately after insertion.

filemon1

Later on in the data, there is actually a U3Launcher.log file created under the user's directory in Local Settings\Temp that is regularly updated. In fact, the last usage of that log will remain in the temp directory unless the user deletes it. Here is a shot of a few lines from that log. Note the dates, times, serial numbers, and other relevant information.

u3launcherlog

Fortunately, Filemon has a "save as" capability where it creates a tab delimited text file that is easily imported into other software. You can see below that the file extension is .LOG. You may have to rename the file to .TXT or .CSV for your database or spreadsheet to see it.

filemonsaveas

I imported the file into Microsoft Access and did further queries, filtering, and sorting. I changed the name filename.log to filename.txt so Access would read it, then imported the file. However, you can tell a lot just from looking through the results of your Filemon experiment on screen.

Finally, and I find this interesting from a Forensics standpoint, the U3 cleans up after itself. It actually runs an application called "cleanup.exe." Here is a shot of the tail end of my Filemon experiment showing the last entries of the cleanup routine.

cleanup

In short, U3 drives are extremely noisy and leave a wide trail of file activity. Information is changed elsewhere, as well, of course, in the registry, and in memory. But that will have to wait for another article. If you know the type of drive the user used in your case, you may wish to experiment with another thumb drive just like it to see what it does to another computer. Then you can compare data with the timeline analysis you pull from the subject computer.

J. Michael Butler, GCFA Gold #00056, is an Information Security Consultant employed by a fortune 500 application service provider who processes approximately half of the $5 trillion of residential mortgage debt in the US. He is a certified computer forensics specialist. In addition, he authored the enterprise wide security incident management plan and information security policies for his corporation.

1 http://technet.microsoft.com/en-us/sysinternals/bb896642.aspx (Link to Filemon.exe by Mark Russinovich)

3 Comments

Posted December 16, 2008 at 2:40 PM | Permalink | Reply

ahoog

Great write up and analysis''I referenced this in the weblog I just posted. I tackled the U3 drive from the hardware level and wanted to also share my research with you and others. If you have a moment to check out:
http://chicago-ediscovery.com/computer-forensic-howtos/forensic-acquisition-analysis-u3-usb-drive.html
I would appreciate it. I'm hoping others in the field can help fill in some blanks.
-Andrew
http://chicago-ediscovery.com/

Posted January 5, 2009 at 10:56 AM | Permalink | Reply

J. Michael Butler

Thanks for your comment, Andrew! I noticed that Thijs also left you a note pertaining to the research he has done. He provided me with a couple of links as well which I wanted to post for everyone. Here are the articles he pointed me to:
The first is called "Tackling the U3 trend with computer forensics" by Andy Spruill and Chris Pavan of Guidence Software. It can be bought on:
http://www.sciencedirect.com/science?_ob=ArticleURL&_udi=B7CW4-4N440CB-1&_user=10&_rdoc=1&_fmt=&_orig=search&_sort=d&view=c&_acct=C000050221&_version=1&_urlVersion=0&_userid=10&md5=46ecb47bdcc5cc19e368bc727e3c49ae
The second is called "Battling Anti-Forensics: Beating the U3 Stick" and has been written by myself (Thijs Bosschert). This one can be accessed for free on:
http://www.informaworld.com/smpp/content~content=a779634181~db=all~order=page
Hope this is helpful.
Thx,
jmb

Posted January 7, 2009 at 8:54 AM | Permalink | Reply

J. Michael Butler

For my readers, Thijs Bosschert has sent me a link to another article written by R. Tank and P.A.H Williams called The Impact of U3 Devices on Forensic Analysis. Enjoy: http://scissec.scis.ecu.edu.au/conference_proceedings/2008/forensics/Tank%20Williams%20Impact%20of%20U3.pdf
jmb