I'm working on a case at my new job in which I've been asked to determine if there is evidence that an employee took corporate data before resigning to work a competitor.

I'm practically done with the analysis but do not understand what I'm seeing in the USB device timestamps. According to the registry, only one USB mass storage device was ever connected. The last times the keys for that device were written was 9/30/2016 8:34:01 UTC. This doesn't make sence though because the laptop had been collected by my colleague the previous day and it did not have anything connected to at the time of collection.

9/30/2016 8:34:01 UTC- Evidence1\HKLM\SYSTEM\ControlSet001\Enum\USBSTOR\Disk&Ven_Seagate&Prod_USB_3.0_Cable&Rev_SA11
9/30/2016 8:34:01 UTC- Evidence1\HKLM\SYSTEM\ControlSet001\Enum\USBSTOR\Disk&Ven_Seagate&Prod_USB_3.0_Cable&Rev_SA11\2HC015kj&0
4/18/2016 21:18:58 UTC- Evidence1\HKLM\SYSTEM\ControlSet001\Enum\USBSTOR\Disk&Ven_Seagate&Prod_USB_3.0_Cable&Rev_SA11\2HC015kj&0\Device Parameters\Partmgr

I took a look at my registry on my work laptop to see how its timestamps look, since I've connected multiple USB storage devices to it.

10/13/2016 14:19:37 UTC- my_laptop\HKLM\SYSTEM\ControlSet001\Enum\USBSTOR\Disk&Ven_Apricorn&Prod_&Rev_0133
10/13/2016 18:30:06 UTC- my_laptop\HKLM\SYSTEM\ControlSet001\Enum\USBSTOR\Disk&Ven_Plugable&Prod_USB3-SATA-UASP1&Rev_0
10/13/2016 14:19:37 UTC- my_laptop\HKLM\SYSTEM\ControlSet001\Enum\USBSTOR\Disk&Ven_Seagate&Prod_FreeAgent_GoFlex&Rev__210
10/13/2016 14:19:37 UTC- my_laptop\HKLM\SYSTEM\ControlSet001\Enum\USBSTOR\Disk&Ven_TOSHIBA&Prod_External_USB_3.0&Rev_0
10/13/2016 14:19:37 UTC- my_laptop\HKLM\SYSTEM\ControlSet001\Enum\USBSTOR\Disk&Ven_WD&Prod_My_Passport_0839&Rev_1072
10/13/2016 14:19:37 UTC- my_laptop\HKLM\SYSTEM\ControlSet001\Enum\USBSTOR\Other&Ven_WD&Prod_SES_Device&Rev_1072

5/6 of the timestamps above are identical, but I surely did not connected those devices at the same time and did not event connect them at all yesterday. The once device with a different timesamp was connected at the specified time. Additionally, the subkeys for each of those have identical timestamps, rather than showing the timestamp of when the device was first connected.

Are any of you aware of any Windows operations/Laptop operations that do batch updates USB registry keys? I'm wondering if there is something going on with the computers at this organization that is causing this, because my forensics machine, which is not joined to the domain, does not have similar issues going on in the registry.  

Which OS is that?
How (with which tool/program) are you finding those timestamps?
How do they compare with other artifacts (like - say - setupapi.log or similar)?
How do they compare with related other keys (like mountpoints and mountpoints2)?
How do they compare with the full system timeline?

Check these (if applicable):
www.swiftforensics.com...art-1.html
windowsir.blogspot.it/...sible.html

jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 

OS of Evidence1: Windows 7 Enterprise (Service Pack 1)
OS of my_laptop: Windows 7 Enterprise (Service Pack 1)

Tools used to find timestamps: Encase 7, Registry Viewer 1.8.0.5 (AccessData), RegistryViewer 1.3 (Gaijin), USBDeview (Nirsoft), log2timeline 0.66
All of the aforementioned tools produced identical registry timestamps.

The setupapi.dev.log shows the date & time when the drive was first connected, but not the last time it was connected, which is what I am really interested in. The initial connection timestamp was consistent with the times found with the aforementioned tools.

Other artifacts on the system make it seem as though Windows was started up at 9/29/2016 at 19:29:03, which is the same time my colleague picked up the system, according to the chain of custody form. There are no shutdown events after this.

Nothing was attached to it though and the most recent attachment time, according to the registry timestamps, was 13 hours after the last start and was during the middle of the night for us.  

- honor_the_data

The setupapi.dev.log shows the date & time when the drive was first connected, but not the last time it was connected, which is what I am really interested in. The initial connection timestamp was consistent with the times found with the aforementioned tools.

Other artifacts on the system make it seem as though Windows was started up at 9/29/2016 at 19:29:03, which is the same time my colleague picked up the system, according to the chain of custody form. There are no shutdown events after this.

Nothing was attached to it though and the most recent attachment time, according to the registry timestamps, was 13 hours after the last start and was during the middle of the night for us.

I don' tknow, IF the setupapi.dev.log indicates as first install a date/time before the 9/29/2016 at 19:29:03 AND the other keys/artifacts indicate a date/time after that for the SAME device, since it is impossible (if you are not in possession of THAT device) that - even by mistake - it was re-connected after seizure, those Registry time stamps must be *somehow* fake/fabricated or the like.

jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 

The first install date, as indicated by the setupapi.dev.log and the registry was 4/18/2016, which is well before the scope of the investigation.

The last connected timestamps definitely do seem like they are fake/erroneous but the really unusual part is that my own laptop had similar behavior in that registry keys for USB devices had been updated as a batch even when I know that those devices were not connected at those times. For example, my laptop currently shows six devices under my_laptop\HKLM\SYSTEM\ControlSet001\Enum\USBSTOR\. The timestamps for all six are 10/14/2016 18:11:34 UTC, but I know that I had only 1 of those devices connected at that time.

Weird huh?  

I think that one of your installed USB drivers is malfunctioning somehow, mixing up the USB addressing and writing unreliable data to the logs.

On your test laptop remove all your USB entries with USBDeview, then refresh the hardware components in your Device Manager. After that, test a bit with connecting and disconnecting different USB devices, see if the dates/times for logs work as they are supposed to work.
_________________
Apple passcode unlock + decrypted filesystem dump, Android user locks unlock + physical dump with decrypted userdata partition. We provide our services world-wide, but we reserve the right for choosing which tasks we take and which we deny! 

- passcodeunlock

I think that one of your installed USB drivers is malfunctioning somehow, mixing up the USB addressing and writing unreliable data to the logs.

On your test laptop remove all your USB entries with USBDeview, then refresh the hardware components in your Device Manager. After that, test a bit with connecting and disconnecting different USB devices, see if the dates/times for logs work as they are supposed to work.

I'll give that a shot. Thanks for the tip.