woanware/usbdeviceforensics woanware/usbdeviceforensics

  • This repository has been archived on 15/Aug/2019
  • Stars
    star
    125
  • Rank 284,676 (Top 6 %)
  • Language
    Python
  • Created over 10 years ago
  • Updated about 5 years ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
woanware/usbdeviceforensics
github

woanware

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Python script for extracting USB information from Windows registry hives

This project is out of date, and I don't have the time to update. I would recommend an alternative such as https://usbdetective.com/

Introduction

usbdeviceforensics is a python script to extract numerous bits of information regarding USB devices. It initially used the information from a SANS blog (Rob Lee) post to retrieve operating system specific information. It now has the ability to process multiple NTUSER.dat registry hives in one go.

The python script was originally a Windows only .Net application but I decided that it was pointless having a GUI for this applicaton.

It should be noted that whilst the information in the blog posting is accurate, there is a caveat to be aware of. During my testing I have found that an unknown process (probably an update) can update the Date/Time values across all keys, in particular the USBSTOR keys. Therefore, you could see the same Last Written Date/Time value on each device key. If you see this occurring, then you obviously cannot rely on the values retrieved. All of the dates should be UTC.

Installation

This script needs the python-registry module created by Will Ballenthin

Compilation (Windows)

  • Install cx_Freeze in the python installation
  • Run the following command when in the source directory:

python setup.py build

Links

Future Work

  • Allow timezone manipulation

Data Locations

The following outlines the key registry locations that are used to extract the information:

SYSTEM\CurrentControlSet\Enum\USBStor

This location retrieves the Vendor, Product and Version, SerialNo, ParentPrefixId and (USBStor Date/Time).

SYSTEM\CurrentControlSet\Enum\USBSTOR\Disk&Ven_&Prod_yyyy\xxxxx\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\00000064\00000000\Data

This location retrieves a FILETIME value for "Install date"

SYSTEM\CurrentControlSet\Enum\USBSTOR\Disk&Ven_&Prod_yyyy\xxxxx\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\00000065\00000000\Data

This location retrieves a FILETIME value for "First Install Date" of the driver for that USB device

SYSTEM\CurrentControlSet\Enum\USBSTOR\Disk&Ven_&Prod_yyyy\xxxxx\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0066

This location retrieves a FILETIME value for "Last Arrival Date"

SYSTEM\CurrentControlSet\Enum\USBSTOR\Disk&Ven_&Prod_yyyy\xxxxx\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0067

This location retrieves a FILETIME value for "Last Removal Date" of the driver for that USB device

System \CurrentControlSet\Enum\USB

This location retrieves the Vid, Pid and (Enum\USB VIDPID DateTime).

System \CurrentControlSet\Control\DeviceClasses\{53f56307-b6bf-11d0-94f2-00a0c91efb8b}

This location retrieves the (DeviceClasses date/time).

System \MountedDevices

This location retrieves the Drive Letter, Guid and MountPoint

Software\Microsoft\Windows Portable Devices\Devices

This location retrieves the Drive Letter and Volume Name

SOFTWARE\Microsoft\Windows NT\CurrentVersion\EMDMgmt

This location retrieves the Ready Boost related information (Noted from the win4n6 mailing list)

NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2

This location retrieves the Last Time Connected (MountPoints2 Date/Time)

Setupapi.log/setupapi.dev.log

This file retrieves the Install Date/Time.

If more information is required, then refer to the original SANS blog posting.   Registry Date/Times

According to the SANS posting the following date and times apply different values depending on the OS:

Windows XP

First Time Connected After Last Reboot: DeviceClasses Date/Time
First Time Connected After Last Reboot: Enum\USB VIDPID Date/Time

Windows Vista

First Time Connected After Last Reboot: USBSTOR Date/Time  
First Time Connected After Last Reboot: DeviceClasses Date/Time
Last Time Connected: Enum\USB VIDPID Date/Time

Windows 7

First Time Connected After Last Reboot: USBSTOR Date/Time
First Time Connected After Last Reboot: DeviceClasses Date/Time
Last Time Connected: Enum\USB Date/Time

More Repositories

1

LogViewer

LogViewer for viewing and searching large text files...
C#
412
star
2

autorunner

Emulates the Sysinternals Autoruns tool, but for DFIR purposes e.g. multi user processing
C#
51
star
3

LogViewer2

Application for viewing/searching large text/log files (WPF port of the original LogViewer)
C#
47
star
4

ForensicUserInfo

Extracts Windows user info including the password hashes
C#
37
star
5

lookuper

Looks stuff up (MD5, SHA256, IP, Domains, URL's, strings e.g. mutexes)...
Go
36
star
6

woanware.github.io

HTML
32
star
7

wmi-parser

Parses the WMI object database....looking for persistence
C#
31
star
8

etw-event-dumper

C#
31
star
9

TargetAnalyser

Tool for analysts to perform simultaneous lookups (IP, Domain, URL, MD5) against multiple data sources
C#
29
star
10

application-restriction-bypasses

A set of compiled application restriction bypasses
PowerShell
29
star
11

NetworkScanViewer

C#
22
star
12

JumpLister

C#
17
star
13

bgp-watcher

Prototype system to monitor BGP routes and alert when anomalies are identified
Go
14
star
14

Win32Security

C#
12
star
15

SessionViewer

SessionViewer is a PCAP TCP session reconstructor with a UI to view the data flows, and export data
C#
12
star
16

reg-entropy-scanner

Scans through registry hives outputting entropy values for key/values, dumps binary contents to files...we are looking for those "fileless" malwarez!
C#
11
star
17

volatility-runner

volatility-runner is a command line application designed to speed up memory forensics using the volatility framework, primarily for instances where the user has multiple memory dumps to analyse.
Go
11
star
18

log-file-decrufter

Go
9
star
19

javaidx

C#
8
star
20

win-catalog-dotnet

Managed library for accessing the Windows security catalog files
C#
8
star
21

exefinder

C#
8
star
22

xor

C#
7
star
23

extract-web-domains

Tool to extract domains/IP's from files
Go
6
star
24

EventLogParser

C#
6
star
25

shimcacheparser

C#
5
star
26

tr3_tool_kit

Repository to store the tools for Corey Harrell's Tr3Secure Data Collection script
Shell
5
star
27

filesender

Send files simply using Google Drive...it's a cross between https://github.com/schollz/croc and https://github.com/google/skicka
Go
5
star
28

shellify

This is a fork from the Shellify project hosted on sourceforge. It replaces my own LNK parser as it has more features!
C#
4
star
29

RegRipperRunner

C#
4
star
30

VtLookup

C#
4
star
31

threatexpertchecker

C#
3
star
32

snorbert

Snort data viewer...
C#
3
star
33

word-password-generator

Console application to generate word based passwords using Mnemonicodes
C#
3
star
34

ooxml-checker

Go
2
star
35

csv2xlsx

C#
2
star
36

RiskIqSharp

C# library (.Net 6) to interact with the RiskIQ/PassiveTotal API
C#
2
star
37

csv-value-counter

A rewrite in golang of my .Net csvvaluecounter tool. Basically it counts the number of a particular field in a text file or CSV file
Go
2
star
38

logsifter

C#
2
star
39

csvvaluecounter

C#
1
star
40

HttpKit

C#
1
star
41

log-sifter

Performs normalised levenshtein distance calculations on log entries to reduce repeated data...
Go
1
star