Saturday, March 28, 2009

USB Tracking

Well, it is been awhile since I updated this blog of mine. I was thinking if I will continue writing and will stick to blogspot. And, also there are too many tech bloggers out there with much time to write. I hope I will have the now the time to write.

With the advent of USB thumb drive and removable media, because of the small capacity of floppy drive this devices took over, this is very useful in transferring files such as music, movies, office documents. But behind every technology there is a dark side. In corporate world, top secret projects are well guarded but how you will guard your data to thieves? Even in your office, home,etc...If they can plug a nail size memory stick to your computer and get everything they want?

Here is a guide in USB Tracking, you can get the log of any USB device attached to your system. Each USB thumb drive has a unique serial number and windows will store it in the registry. I only tested this on my XP box. Surely it'll work on Vista, Windows 7 and Win98.

Q.Where this USB tracking use to? This is a little example of a computer forensics.

A-1.If you want to get the serial number of your thumb drive and record it. Personally, I created a small program that tells who's the owner of the thumb drive, my name, mobile number, serial number of the device as a proof that I am the rightful owner I put it my a secret partition with password protect and in my unsecured partition. If ever I lost it, and someone finds it, if ever he/she has a good heart, they can contact me because of that information and i can prove it because I have the serial number of the device.

A-2.If you are in doubt if someone is stealing the contents of your computer, though he/she needs to physically plug the device to your unit. In this you will able to check if there is an unknown flash drive was plugged into.

A-3. After you get all the information above such as serial number, you can also get the last read/write of the USB thumb drive which I think is the most important part of the whole investigation. If you are a Network Administrator, and have a logging system, you will know who logged in that specific time, thus knowing who's stealing infomation.

Lets start:
We don't need special tool on this, everyone's favorite, the REGEDIT, fire up Start > Run > Regedit

Navigate to this:
\HKEY_LOCAL_MACHINE\SYSTEM\Controlset001\Enum\USBTOR

In this you will able to see the attached devices, navigating to one of the device you will get the serial number which is unique to each device.



Just copy the serial number, now it's time to get the read/write entry of the selected device.

Go to:
\HKEY_LOCAL_MACHINE\SYSTEM\Controlset001\Controls\deviceclass
 - in this entry you will now get the read and write log.

I will use my thumb drive's serial number - "0019B931D970C8C155DB05A5&0"

After finding the entry, export it as a clear text;


Here what I got:
Key Name: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceClasses\{53f56307-b6bf-11d0-94f2-00a0c91efb8b}\##?#USBSTOR#Disk&Ven_Kingston&Prod_DataTraveler_2.0&Rev_1.00#0019B931D970C8C155DB05A5&0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Class Name:
Last Write Time: 3/26/2009 - 12:52 PM
Value 0
Name: DeviceInstance
Type: REG_SZ
Data: USBSTOR\Disk&Ven_Kingston&Prod_DataTraveler_2.0&Rev_1.00\0019B931D970C8C155DB05A5&0


Key Name: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceClasses\{53f56307-b6bf-11d0-94f2-00a0c91efb8b}\##?#USBSTOR#Disk&Ven_Kingston&Prod_DataTraveler_2.0&Rev_1.00#0019B931D970C8C155DB05A5&0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}\#
Class Name:
Last Write Time: 3/26/2009 - 12:52 PM
Value 0
Name: SymbolicLink
Type: REG_SZ
Data: \\?\USBSTOR#Disk&Ven_Kingston&Prod_DataTraveler_2.0&Rev_1.00#0019B931D970C8C155DB05A5&0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}


Key Name: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceClasses\{53f56307-b6bf-11d0-94f2-00a0c91efb8b}\##?#USBSTOR#Disk&Ven_Kingston&Prod_DataTraveler_2.0&Rev_1.00#0019B931D970C8C155DB05A5&0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}\#\Control
Class Name:
Last Write Time: 3/26/2009 - 5:04 PM
Value 0
Name: Linked
Type: REG_DWORD
Data: 0x0


Key Name: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceClasses\{53f56307-b6bf-11d0-94f2-00a0c91efb8b}\##?#USBSTOR#Disk&Ven_Kingston&Prod_DataTraveler_2.0&Rev_1.00#0019B931D970C8C155DB05A5&0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}\Control
Class Name:
Last Write Time: 3/26/2009 - 5:04 PM
Value 0
Name: ReferenceCount
Type: REG_DWORD
Data: 0x0


Now I am able to get the last write to the device.

Mounted Devices: Contains all the drive letter being used by the mounted devices such as thumb drive, external hard drive,
Registry Entry: \HKEY_LOCAL_MACHINE\SYSTEM\MountedDevices

Conclusion: In this tutorial you will able to get the serial number of your USB device, use the serial number to retrieve the information about the last write.

Forgive me if I have some typo or anything, just feel free to comment

And lastly I would like to give credit to Harlen , I forgot his last name for the great book, Windows Forensics...

Read more!



Posted by Unwired at 11:38 AM 2 comments
Labels: , ,

Tuesday, June 17, 2008

FireFox 3.0 will be delayed


The most anticipating release of Mozilla's Firefox 3.0 will be delayed by one day. With the first minor upgrade, they will release the version 3.1.

Today the copy you can download is the alpha release code-named Shiretoko

Read more!



Posted by Unwired at 12:29 PM 0 comments
Labels: ,

Thursday, June 12, 2008

5 more days

Today I dropped by to Mozilla to check some news, at last only 5 days more and Firefox 3.0 will be launch after months of the beta testing. According to the devs they are ready now and it's time to make a world record

Read more!



Posted by Unwired at 2:25 PM 0 comments

Tuesday, June 10, 2008

Firefox 3.0 first day release will set record

The Firefox download of the day, hopefully will set the record for Guiness, as the most downloaded software in 24 hoursin the day of its release.
It is very easy just go to spreadfirefox.com and pledge. At the time of this writing the Philippines have 5958 entries. With the help of community sites, it is guaranteed that we will have more entries to come.
After giving your email you will be counted and will receive the date of its release, which is very very soon.

I've been using FireFox for quite sometime now,as a web designer, I always test my works in FireFox, another reason why I like FireFox is its web developer extensions which is very helpful in testing my site and making surfing the web a lot more fun.

Read more!



Posted by Unwired at 11:31 AM 0 comments

Tuesday, March 25, 2008

SaveXP

Microsoft will end its sales of Windows Xp (experience) both OEM and Corporate in the end of June, despite some reluctance of business and individuals about moving to Vista. With the success of Ubuntu and Leopard for Macs, Windows community did not get excited that much for the coming of Vista, maybe people are not really excited since they have computers that can not run Vista just like me. If Vista can run as much lower system requirement we will adopt the new operating system, but when it came it only gave frustrations, high resources are required, few drivers and have hardware issue.

Let us support XP by giving our vote.

Read more!



Posted by Unwired at 12:14 AM 0 comments
Labels: ,
Subscribe to: Posts (Atom)