Windows stores all connected USB devices in the registry. These traces can be used to track the use of USB sticks or other external data carriers in order to z.B. clarify a data leakage. This article is part of our "Data revealed" series.
Data leakage of trade secrets
They have discovered that trade secrets have been made accessible to third parties. After ruling out the possibility that the data was stolen via the Internet, it is assumed that the data was leaked with the help of external storage media. To find out on which workstations unknown USB devices were located, a forensic examination of the Windows Registry can help.
This stores in various places u.a. the serial number and manufacturer ID of the connected devices. This can be used to check which devices have been used legitimately and which are unknown to the company. The identified computers can then be looked at in more detail in a forensic analysis.
USB and USBSTORE
As described in a previous article, there are two important keys in the SYSTEM hive for USB devices. USB media suitable for data transfer are stored under the USBSTORE key, additionally these and other USB devices can be found under USB. Below the USBSTORE are the keys for USB data carriers. In principle, each device gets its own subkey, but if several USB devices of the same type are used, they share the subkey. Distinguishing exactly which device was connected can be determined by its serial number.
USB devices that do not have a factory serial number are assigned a Windows-generalized serial number. This can be recognized by the fact that the second character is a&-Symbol is. These entries cannot be uniquely assigned to any device. Under the Properties subkey, Windows stores the timestamps for the following events in three keys:
- First connection to the system
- Last connection on the system
- Last removed from the system
With the serial number, the Vendor ID (VID) and Product ID (PID) of the device can be determined under the USB key.
Alternative source for serial numbers
If the serial number or a device cannot be traced under the USBSTORE key, there is the key Windows Portable Devices in the SOFTWARE hive, which also stores used USB devices and keeps the serial number in the key name. Likewise, the type of device can be determined, such as.B. an Amazon Kindle, marked in red in this case, which was connected to the Windows computer under investigation. We will discuss this in more detail in another article.
Assignment of the drive letter
The serial number can be used to check which drive letter was assigned to the device. Under SYSTEM\Mounted Devices entries about the connected drives are documented. Each drive resp. Volume has a Globally Unique Identifier (GUID) which is stored together with the drive letter. These entries can now be searched for the serial number of the USB volume in question.
By this procedure you get the GUID of the drive and if necessary the serial number of the device. the assigned drive letter. The drive letter can be used in the further course of the analysis to check what data was present on the drive.