500.3 - USB & Shell Items

Question 1

Shell Item Artifact Attributes

Answer 1

• Type of Drive Target - Fixed, Removable, Netowork
• Path of Target File -
• Target Medata - MAC Timestamps, Size, MFT Record, Sequence #

Question 2

“Recent Docs” Shortcut Files (.lnk)

Answer 2

• Autocreated by Win in Recent Folder when a file is OPENED
• .lnk files point to = Target file MAC times, vol info (name, type, vol sn), orig path, fixed/ removable/ network target
• Non-exe generates generates 2 .lnk Files = 1. Target File & 2. Parent Folder of Target File
• MAX # of files - 149
• • Files edited in USB are in recent items folder under user account
• • Date Created = First Opened
• • Date Modified = Last Opened

Location

• Win7 - C:\Users|AppData\Roaming\Microsoft\Windows\Recent (Win7 ) &
• XP - Doc & Settings\user

Question 3

Windows 10 Recent Doc changes

Answer 3

• When a file is created, a LNK file will also be created in the RECENT folder
• Only when the user opens the fire will the LNK file be created
• Folder Creation = Link of Folder, Parrent Folder, & Grand parrent Folder
• File Creation = Link of Folder & File

Question 4

LeCMD.exe and lp.exe

Answer 4

• LeCMD.exe - LNK Explorer command line edition

- LNK file analysis and parsing be

Question 5

LNK File Data Structure

Answer 5

• Header & other info
  
  • Source file, source created, source modified, source accessed
  • Target created time, Modified time, and accessed time, target size, flags
• Link Info = Volume info = SN & drive type
• Target ID - Only shows if a flag is present
  
  • contains shell items that are similar to what is found in Shellbags
  • MFT info, timestamps, no absolute path
• Extra - Console properties, serialized property store structures

Question 6

Win 7 - Win 10 JumpLists

Answer 6

• Jumplists makes up both Destinations and Tasks
• Shows the most recent or frequently used media for an app
• Shows default tasks (pin app, start app, & close all windows of apps)
• Two types of Jumplists: Automatic & Custom

Question 7

Automatic Destinations

Answer 7

• Automatically created for each app by Windows - (Controled by the Window)
• Created when files are open in an app
• Found in Recents Folder
• List of Apps sorted by AppID (Unique identifier) & 16 digits of a name
• Files contain:
  
  • Creation Time = First exe w/ file Open
  • Mod Time = Last time of exe w/ file open

Location
- C:\Users(Profile)\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations

Question 8

Custom Destinations

Answer 8

• Created with specific development info from the app developer
• Found in Recents Folder
• Files contain:
  
  • Creation Time = First time item is added to the AppID / First exe of App
  • Mod Time = Last time an item was added to an AppID

Location
- C:\Users(Profile)\AppData\Roaming\Microsoft\Windows\Recent\CustomeDestinations

Question 9

AppIDs

Answer 9

• Unique Identifiers to the OS & App

Question 10

Shellbags

Tracking Folder/Directory Usage Win 7-10

Answer 10

• Shows folders that were access on the local Machine, Network, & Removeable Devices
• Evidence of previously existing/deletion/overwirte Folders
• When folders were accessed & by who

Location

- Explorer = USERCLASS.DAT\Local setting\Software\Microsoft\Windows\Shell\ Bags OR BagMRU
- Desktop - NTUSER.DAT\Software\Microsoft\Windows\Shell\Bags OR BagMRU

Question 11

Shellbags - Based on Windows Explorer

Answer 11

• Only First time folder was opened / settings changed

- Example: Setting the window size, changing file viewing option, looking at thumbnails, sorting options

Question 12

Parsing Win7 - Win10 Shellbags / What do Shellbags consist of

Answer 12

• BagMRU = Desktop/Computer
  
  • Keys = Specific Drives (C:, E:, D:)
  • SubKeys = Users
  • Values = Which Folder is what

Question 13

Shellbags Analysis Key items

Answer 13

• MRUListEx indicator - Last Time directly accessed (Last key write time)
  
  • FAT/NTFS - File record & Sequence # allow you to separate drives
  • FAT32 = Sequence numbers NULL
  • NTFS = Sequence numbers Exists
  • Match returned device to directories accessed to make sure you are looking at the right device

Question 14

Purpose of USB Device Forensics

Answer 14

Removable Device Info

• Vendor/make/Version
• Serial #

User Information & Activity w/ USB Device

• Determine drive letter & volume name
• Find user that used the specific USB device
• Discover first time device was connected
• Determine last time device was connected
• Determine when device was moved

30 days of activity stored in Registry - USB & USBSTOR Keys

Question 15

Mass Storage Device (MSC)

*** USB Device Types

Answer 15

• Removable storage devices
  
  • external drives, thumb drives, MP3 player
• Mounts within Windows Explorer
  
  • Hard Disk Drives (Win7+)
  • Devices w/ removable storage (XP)
• Also referred to as UMS (USB Mass Storage)

Question 16

Picture Transfer Protocol (PTP)

*** USB Device Types

Answer 16

• Deals only with images, videos, and their associated metadata
• Unidirectional transfer of files - from device to computer but not back
• Mounting happens at the logical level - cannot see underlying filesystem
• Win XP and earlier using Windows Image Acquisition (WIA) handles PTP devices

Examples
- Cameras (images/videos), scanners, printers, smartphone, & tablets

Question 17

Media Transfer Protocol (MTP)

*** USB Device Types

Answer 17

• An improvement of PTP - involves portable media
• WinXP - MTP device shows up in WPD & appears in Window Explorer

Examples
- MP3 players, cameras, smartphones, & tablets

Question 18

Evidence of File Opening (USB)

Answer 18

• MSC = Create LNK file for all opened, Wins Recent Folder, MS Recent Folder, Jumplist Auto Dest
• MTP = May create LNK (depends on app/filetype), Some MTP LNK don’t point back to MTP source device but to WPDNSE folder on WIN 7/8 ONLY

Location
- C:\Users(Username)\AppData\Local\Tamp\WPDNSE{GUID}

Question 19

WPDNSE Folder - MTP Devices Win7/8

Answer 19

• Maintains copy of file opened from device,
• Folder is temp (reboot = gone),
• GUID folder mapping obtained from BagMRU in Shell bags for the MTP device

Location
- C:\Users(Username)\AppData\Local\Tamp\WPDNSE{FolderGUID}

Question 20

USBSTOR - MSC Devices (Removable)

Answer 20

• Used to track MSC USB devices that have been plugged into a machine
  
  • Identify vendor, product, version of USB
  • Unique USB device
  • Determine time plugged in (retained 30 Days )
• USBSTOR Serial Number - (No SN will have “&” in 2nd Character)

Location
- SYSTEM\CuurentControlSet\Enum\USBSTOR

Question 21

MSC, PTP, and MTP USB Enumeration

Answer 21

• VID & PID info ID
• Unique Device Serial # (Only MSC requires)
• Retained for 30 Days (Plug & Play Cleanup)

Locations
- SYSTEM\CuurentControlSet\Enum\USB

Question 22

Discover Volume name for MSC, MTP, PTP

Answer 22

• Logs the last drive letter & volume name for each device
• Can be linked to drive letters via LNK files

Locations
- SOFTWARE\Microsoft\Windows portable Devices\Devices

Question 23

Find User that used USB

Answer 23

• Using Volume GUID via searching for SN in Value Data (retained 30 Days)

Locations
- NTUSER.DAT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Mountpoints

Question 24

MSC USB Device times to track

Answer 24

• First Connection
• Last Connection
• Removal Time

Question 25

Event Logs related to Time Tracking Removable devices

Answer 25

• System Log
• Event ID
• Timestamp
• Device Info - Captured by “plug and play”
• Device SN
• Status - error code

Question 26

Object Access: Audit Removable Storage (Win 8+)

Answer 26

• Logs every interaction/ device by user,
• Included folder, Filenames, & App,
• Successful & Failed are logged,
• NO hardware details
• Auditing Access to BYOD (logging removeable devices - ID: 4663)

Question 27

Volume Serial Number Analysis

Answer 27

• Lnk analysis contains Volume Type, V. Label/Name, & V. SN
• Used with Portable Device key & V. SN via EMDMgmt key you can prove a device had specific files, opened via Explorer in WS