USB in Mountpoints2...
 
Notifications
Clear all

USB in Mountpoints2 but nowhere else?

5 Posts
2 Users
0 Likes
661 Views
jblakley
(@jblakley)
Posts: 110
Estimable Member
Topic starter
 

Has anyone ever run into the situation where mountpoints2 reports a drive volume, but that volume exists nowhere under mounteddevices, usbstor, etc.? Regripper pulls the info from mountpoints2, but that volume ID doesn't show up anywhere else - very odd….

I do know it's a WD Passport drive from link files I've found.

Edit - I found where the drive was connected in setupapi.dev.log, but I still don't see a reference in the registry.

Thanks!

 
Posted : 04/10/2017 1:41 am
Bunnysniper
(@bunnysniper)
Posts: 257
Reputable Member
 

Has anyone ever run into the situation where mountpoints2 reports a drive volume, but that volume exists nowhere under mounteddevices, usbstor, etc.?

No.

But did you find any evidence in the Windows Event Logs? A timestamp to narrow down your search?

EventLogSystem
UserPnp, EventID 20003
DriverFrameworks-UserMode, EventID 10000
WPD-ClassInstaller, EventID 24576
Plug and Play driver install attempted, Event ID 20001

Good hunting,
Robin

 
Posted : 04/10/2017 9:53 am
jblakley
(@jblakley)
Posts: 110
Estimable Member
Topic starter
 

Not during the time the registry is reporting. I found a device in setupapi.dev.log around 1233P that was connected on the same day which is around 3 hours (almost exactly) earlier. This entry is also found in the system log.

Driver Management has concluded the process to add Service disk for Device Instance ID USBSTOR\DISK&VEN_WD&PROD_MY_PASSPORT_25E1&REV_1015\57584131413337414A4C3638&0 with the following status 0.

I still can't find anything referencing that guid in the registry, and it's bothering me. )

 
Posted : 04/10/2017 11:28 am
Bunnysniper
(@bunnysniper)
Posts: 257
Reputable Member
 

I still can't find anything referencing that guid in the registry, and it's bothering me. )

In this case i would not only look for any evidence for "anti-forensic" actions, i would make a full search across everything on this machine.

- Pagefile
- Hyberfil
- Shadow Copies

This is one point i really love X-Ways Forensic for….Simulaneous Search for this GUID -)

best regards,
Robin

 
Posted : 04/10/2017 1:15 pm
jblakley
(@jblakley)
Posts: 110
Estimable Member
Topic starter
 

Thanks Robin )

I did a search last night, and I find the guid in unallocated, pagefile.sys, ntuser.dat (mountpoints2), and syscache.hve. There isn't anything that stands out as it being associated to an actual device.

In fact, from another thread where jaclaz responded, I decided to run uuid against the guids and came back with this

The one from the event log around 3 hours earlier


uuid -d 62913E5D-4616-11E7-ACEF-00A0C6000000
encode STR 62913e5d-4616-11e7-acef-00a0c6000000
SIV 131018491530714477390274640652305170432
decode variant DCE 1.1, ISO/IEC 115781996
version 1 (time and node based)
content time 2017-05-31 153241.500015.7 UTC
clock 11503 (usually random)
node 00a0c6000000 (global unicast)

And the "missing" guid from everything but mountpoints2


uuid -d 3ca2e12e-1f74-4bca-b1f4-66c8dfde3b58
encode STR 3ca2e12e-1f74-4bca-b1f4-66c8dfde3b58
SIV 80599399034568520348143780736136002392
decode variant DCE 1.1, ISO/IEC 115781996
version 4 (random data based)
content 3CA2E12E1F740BCA31F466C8DFDE3B58
(no semantics random data only)

I simply cannot find a reference to the volume 3ca2e* in usbstor or mounteddevices. It's like it existed (at least EnCase is showing that the last write time on the mountpoints2 for that entry was the latest device), but didn't really exist. From other usb devices I've seen, I'd at least have a volume ID close to the device ID, but the one actually seen connected on that day isn't even in the ballpark as the one I can't find. I'm not sure how to explain this one.

 
Posted : 04/10/2017 2:05 pm
Share: