Yes that's true. All of this stuff are saved by our OS. So these records are very important in a computer forensic investigation. These information will give very important evidence for computer crime scenes.
Firstly lets we take a look how we can extract these USB plugging details in Windows.
Get Run and type regedit. It will get you the registry settings on windows. In this window go through following description you will find the mentioned details in those registry keys.
- The USBSTOR located in the SYSTEM hive (SYSTEMCurrentControlSetEnumUSBSTOR) USBSTOR contains details on the vendor and brand of USB device connected, along with the serial number of the device that can be used to match the mounted drive letter, user, and the first and last connected times of the device.
- The MountedDevices key (SYSTEMMountedDevices) Allows investigators to match the serial number to a given drive letter or volume that was mounted when the USB device was inserted. It’s possible that the investigator won’t be able to identify the drive letter if several USB devices have been added, since the mapped drive letter only shows the serial number for the most recently mounted device for each letter assigned.
- The MountPoints2 key found in a user’s NTUSER.dat hive (NTUSER.datSoftwareMicrosoftWindowsCurrentVersionExplorerMountPoints2) This information will reveal which user was logged in and active when the USB device was connected. MountPoints2 lists all of the device GUIDs that a particular user connected, so you might need to search through each NTUSER.dat hive on the system to identify which user connected a particular device.
- The USB key in the SYSTEM hive (SYSTEMCurrentControlSetEnumUSB) This key provides investigators with vendor and product ID for a given device, but also provides the last time the USB device was connected to the system. Using the last write time for the key of the device serial number, investigators can identify the last time it was connected.
- The setupapi log (ROOTWindowsinfsetupapi.dev.log for Windows Vista/7/8)(ROOTWindowssetupapi.log for Windows XP) Searching for the serial number in this file will provide investigators with information on when the device was first connected to the system in local time. Examiners must exercise caution, as unlike the other timestamps mentioned in this article which are stored in UTC, the setupapi.log stores its data in the system’s local time and must be converted to UTC to correctly match any timeline analysis being performed by the investigator.
But we don't want to go through all of these registry key locations. There are many tools that we can use for this in windows. Internet Evidence Finder is one of them.
In Linux to find currently connected USB device's informations (regarding the details that mentioned above) type in the terminal lsusb. You will get a list of connected devices as follows.
Bus 002 Device 003: ID 04f2:b272 Chicony Electronics Co., Ltd Lenovo EasyCameraThere are some information of Device hardware locations but important fields for now are device name and serial we can see.
Bus 002 Device 005: ID 12d1:1001 Huawei Technologies Co., Ltd. E169/E620/E800 HSDPA Modem
Bus 002 Device 002: ID 8087:0024 Intel Corp. Integrated Rate Matching Hub
Bus 002 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 001 Device 004: ID 0489:e00d Foxconn / Hon Hai Broadcom Bluetooth 2.1 Device
Bus 001 Device 003: ID 0bda:0139 Realtek Semiconductor Corp. RTS5139 Card Reader Controller
Bus 001 Device 002: ID 8087:0024 Intel Corp. Integrated Rate Matching Hub
Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hu
Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hu
Take a look at the bold ones. Before to the colon there is the Vendor ID and after the colon the number represents the Product ID. Do the combination of these two numbers will be the serial number of this device.
We can get the history details of connected usb devices details to the linux machine using the log messages. As you know in var/log/messages will keep all the messages generated by system so we can find USB devices which connected to the system referring this log. we can use the following command to filter out the result that we required (USB devices connected and removed).
grep usb var/log/messagesHow we can make something happen in system when we plug in a USB .
It is very important to know how we can make something to be happen when we connect / plug certain USB device. As a example let's say you have a secret file on your linux system desktop and you not need every one to see that file when you are logged in to your machine. So you are thinking a way how can I make it only show when i plugged my own Pen drive to the machine. You need that file to be shown in your desktop only when you plug your own pen drive. There is a way to do that. Let's make a simple plan to it. We will do like this. When I remove my pen some program run and it will change the content of my file (some sort of encryption) and it will hide the file on system. And when I connect the pen some program will run which is remove the hide state firstly and alter the data of the file to which it was. So this file only can read by using my pen.
Ok first problem you will look at how can i make a program to be run when i connect a pen drive. There's a fascinating way to do this in linux. It's udev rules. We can use udev rules to make some thing happen on the system when some thing connected to usb, ethernet adapters, cd-rom, etc. udev rules are located in /etc/ udev/rules.d
go to the location and let's make a rule in udev.
take your favorite editor and type as follows
ACTION=="add", ATTRS{idVendor}=="058f", ATTRS{idProduct}=="6387",ATTRS{serial}=="A477B7DA", RUN{program}+="/bin/sh -c 'python /home/avishka/Documents/python_files/usb_file_crypter/encusb.py'"Let's see what are in this lines. firstly in ACTION == means the action which is trigger this rule. It may be add, remove, etc. When we put add the rule will trigger when a device is plugged into usb. If it is remove the rule will trigger when we remove the usb device.
ATTRS{idVendor}, ATTRS{idProduct}, ATTRS{serial} these all items you can find by following the below steps.
first connect your pen drive to usb and make sure it has connected. Now get terminal and type fdisk -l and you will get all connected storage. Find your pen drive using the size. Copy the path. Most of time it may be /dev/sdb or /dev/sdc. Then on the terminal type devadm info -a /dev/sdb (replace /dev/sdb with your pen drive's location). Then you will get a list of items like this
In this list make note on the ATTRS{manufacturer}= lines, because using that you can find your pen drives detail on it. After you get the correct parent device (which is your device) extract the above three parameters from it. Then replace those parameters with your parameters.
Finally you can see RUN{program}+=...... "+=" is here because this will add another line run variable. So in this line you can mention what system should do when you connect your pen drive. my option is /bin/sh -c 'python /home/avishka/Documents/python_files/usb_file_crypter/encusb.py
firstly I get shell in bin/ . Then i send the command (-c) as i type in terminal. In this case i ran a python script which will alter data of one of my file and hide it.
Same way you can add a rule to what to be happen when you are removing pen. Just change ACTION=="add" as "remove" , and the command you want to execute.
No comments:
Post a Comment