With the advent of USB thumb drive and removable media, because of the small capacity of floppy drive this devices took over, this is very useful in transferring files such as music, movies, office documents. But behind every technology there is a dark side. In corporate world, top secret projects are well guarded but how you will guard your data to thieves? Even in your office, home,etc...If they can plug a nail size memory stick to your computer and get everything they want?
Here is a guide in USB Tracking, you can get the log of any USB device attached to your system. Each USB thumb drive has a unique serial number and windows will store it in the registry. I only tested this on my XP box. Surely it'll work on Vista, Windows 7 and Win98.
Q.Where this USB tracking use to? This is a little example of a computer forensics.
A-1.If you want to get the serial number of your thumb drive and record it. Personally, I created a small program that tells who's the owner of the thumb drive, my name, mobile number, serial number of the device as a proof that I am the rightful owner I put it my a secret partition with password protect and in my unsecured partition. If ever I lost it, and someone finds it, if ever he/she has a good heart, they can contact me because of that information and i can prove it because I have the serial number of the device.
A-2.If you are in doubt if someone is stealing the contents of your computer, though he/she needs to physically plug the device to your unit. In this you will able to check if there is an unknown flash drive was plugged into.
A-3. After you get all the information above such as serial number, you can also get the last read/write of the USB thumb drive which I think is the most important part of the whole investigation. If you are a Network Administrator, and have a logging system, you will know who logged in that specific time, thus knowing who's stealing infomation.
Lets start:
We don't need special tool on this, everyone's favorite, the REGEDIT, fire up Start > Run > Regedit
Navigate to this:
\HKEY_LOCAL_MACHINE\SYSTEM\Controlset001\Enum\USBTOR
In this you will able to see the attached devices, navigating to one of the device you will get the serial number which is unique to each device.
Just copy the serial number, now it's time to get the read/write entry of the selected device.
Go to:
\HKEY_LOCAL_MACHINE\SYSTEM\Controlset001\Controls\deviceclass- in this entry you will now get the read and write log.
I will use my thumb drive's serial number - "0019B931D970C8C155DB05A5&0"
After finding the entry, export it as a clear text;
Here what I got:
Key Name: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceClasses\{53f56307-b6bf-11d0-94f2-00a0c91efb8b}\##?#USBSTOR#Disk&Ven_Kingston&Prod_DataTraveler_2.0&Rev_1.00#0019B931D970C8C155DB05A5&0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Class Name:
Last Write Time: 3/26/2009 - 12:52 PM
Value 0
Name: DeviceInstance
Type: REG_SZ
Data: USBSTOR\Disk&Ven_Kingston&Prod_DataTraveler_2.0&Rev_1.00\0019B931D970C8C155DB05A5&0
Key Name: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceClasses\{53f56307-b6bf-11d0-94f2-00a0c91efb8b}\##?#USBSTOR#Disk&Ven_Kingston&Prod_DataTraveler_2.0&Rev_1.00#0019B931D970C8C155DB05A5&0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}\#
Class Name:
Last Write Time: 3/26/2009 - 12:52 PM
Value 0
Name: SymbolicLink
Type: REG_SZ
Data: \\?\USBSTOR#Disk&Ven_Kingston&Prod_DataTraveler_2.0&Rev_1.00#0019B931D970C8C155DB05A5&0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Key Name: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceClasses\{53f56307-b6bf-11d0-94f2-00a0c91efb8b}\##?#USBSTOR#Disk&Ven_Kingston&Prod_DataTraveler_2.0&Rev_1.00#0019B931D970C8C155DB05A5&0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}\#\Control
Class Name:
Last Write Time: 3/26/2009 - 5:04 PM
Value 0
Name: Linked
Type: REG_DWORD
Data: 0x0
Key Name: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceClasses\{53f56307-b6bf-11d0-94f2-00a0c91efb8b}\##?#USBSTOR#Disk&Ven_Kingston&Prod_DataTraveler_2.0&Rev_1.00#0019B931D970C8C155DB05A5&0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}\Control
Class Name:
Last Write Time: 3/26/2009 - 5:04 PM
Value 0
Name: ReferenceCount
Type: REG_DWORD
Data: 0x0
Now I am able to get the last write to the device.
Mounted Devices: Contains all the drive letter being used by the mounted devices such as thumb drive, external hard drive,
Registry Entry: \HKEY_LOCAL_MACHINE\SYSTEM\MountedDevices
Conclusion: In this tutorial you will able to get the serial number of your USB device, use the serial number to retrieve the information about the last write.
Forgive me if I have some typo or anything, just feel free to comment
And lastly I would like to give credit to Harlen , I forgot his last name for the great book, Windows Forensics...