Finding evidence of...
 
Notifications
Clear all

Finding evidence of data on removable media

12 Posts
6 Users
0 Likes
488 Views
(@stevegut78)
Posts: 44
Eminent Member
Topic starter
 

I am trying to find evidence of pornography which is suspected to have been opened on the suspect machine from removable media (HD/USB/CD). Where can I look at a lower level to find references to videos or images which were viewed from removable media?

I have done a high level search, Temp Internet files, index.dat, recently opened documents etc. with no hard evidence. This particular person was seen looking at pornography and it is suspected it was from removable media.

Thanks

 
Posted : 23/09/2005 8:05 pm
(@gmarshall139)
Posts: 378
Reputable Member
 

Check this key in the registry for the USB devices that have been attached to the machine

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR

Check the link files, particularly those in the recent documents folder and see if any of them point at a removable drive.

Search the pagefile. Some of the images should show up there if they were recently viewed.

 
Posted : 23/09/2005 8:43 pm
(@armresl)
Posts: 1011
Noble Member
 

Your reference indications (higher level and lower level) don't really describe anything pertaining to analyzing a machine, if you can be even more specific than the index.dat, temp internet, etc that would help out.

You can do grep searches on .mpeg, .avi, jpg, for possible picture and video references, as Greg mentioned MRU would be a good place to look, also look in the registry for typed in URL search terms.

Also you could try to search the term "d" and that could possibly net some positive results.

 
Posted : 23/09/2005 9:09 pm
(@stevegut78)
Posts: 44
Eminent Member
Topic starter
 

Thank you both for your replies.

I was able to identify 6 devices in the USBSTOR key that confirms the use of USB media. What I am really trying to find anything that could connect pornography to these devices. Or more generally, anything that would show what type of data is on these removable devices. We have a policy that deletes the page file when the user logs off so the page file would not be usable.

By higher level I basically did what I explained in my first post. Is there any other methods I could use to find something? Thanks again!

 
Posted : 23/09/2005 11:02 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

What I am really trying to find anything that could connect pornography to these devices.

Greg gave you what you needed. Once you locate the entries in the USBStor key, match the ParentIdPrefix data to the MountedDevices key to see which of the USB devices was last mapped to a drive letter. Then, use this information to check LNK (shortcut) files for references to the drive letter.

Try checking the following Registry keys
HKCU\Software\Microsoft\MediaPlayer\Player\RecentFileList
HKCU\Software\Microsoft\MediaPlayer\Player\RecentURLList

Do you have any idea what application was used to view the images/movies? If so, check to see if there's an MRU list.

Just a thought, though…if the person is suspected of looking at pr0n from a USB drive, why did you search the Temp Internet Files?

H. Carvey
"Windows Forensics and Incident Recovery"
http//www.windows-ir.com
http//windowsir.blogspot.com

 
Posted : 24/09/2005 12:25 am
(@stevegut78)
Posts: 44
Eminent Member
Topic starter
 

OK
What I get in the mounted devices key is entrys like
\??\Volume{99286615-631f-11d9-b153-0007e9e91871}

Not sure what drive letters these represent but I did search the registry for drive letters such as d\ & e\ to no avail.

I am not sure what application was being used but I did not find any additional "viewer" type software installed on the system. I would assume either ms picture viewer or possible IE was used to view pics. WMP to view videos…

I searched temporary internet files just on a whim to see if I could find any data that could be used against the suspect.

I've done 2 other investigations recently and this is by far the toughest. Not sure where else to go from here?????

 
Posted : 24/09/2005 1:36 am
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

Not sure what drive letters these represent but I did search the registry for drive letters such as d\ & e\ to no avail.

Could you dump the contents of the MountedDevices key to a .reg file (export it) and paste it here? I'll also need the ParentIdPrefix values for all of the USB devices. This seems to be a new area to you, and it would be easier if I had the information to walk you through…it might be easier than having you read my presentations at http//www.windows-ir.com/Carvey_gmu2005.zip.

You still haven't mentioned anything about shortcut files in the Recent Documents, the contents of Search Registry keys, etc. Giving you advice is going to be difficult, not so much because your unfamiliar with the Registry, but b/c you don't seem to be looking in places that are suggested. More information from you would make it easier to assist you.

H. Carvey
"Windows Forensics and Incident Recovery"
www.windows-ir.com
windowsir.blogspot.com

 
Posted : 24/09/2005 2:31 am
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

What I get in the mounted devices key is entrys like
\??\Volume{99286615-631f-11d9-b153-0007e9e91871}

So, you have no entries at all that look like "\DosDevices\A"??

If you do, what you need to do is this…go to the USBStor keys, and locate the ParentIdPrefix value for each device. Note that the initial key you see under USBStor is the device class…the subkey under that is the unique device identifier.

Once you have the ParentIdPrefix value, go to the DosDevice entries from the MountedDevices key that do not represent the floppy drive or hard drive, and select one. Right-click and choose Modify. Take a look at the binary data, and see if you see the value for the ParentIdPrefix there. This is what is meant by "mapping" the USB devices to a MountedDevice entry.

H. Carvey
"Windows Forensics and Incident Recovery"
www.windows-ir.com
windowsir.blogspot.com

 
Posted : 24/09/2005 2:48 am
 Andy
(@andy)
Posts: 357
Reputable Member
 

It doesn’t sound like you are using any forensic software tools, so you may need to enable a setting to show hidden files and folders to find the recent folder .lnk files.

The link file may have been deleted, and you may have to use a forensic tool to search and recover for this type of file. If you do find a .lnk that relates to a suspicious file, it is possible to show its location was on removable media. By examining the link file structure metadata, you may find the original file path which points to a drive letter (relating to removable media).

Viewing the history index.dat files may reveal other activity that has been recorded, (not the Temporary Internet Files index.dat file) such as registered Windows file types being accessed. For example accessing a file such as an .avi (movie) or .jpg (image) or even a .doc (document) may leave an entry in the master history index.dat file. A record will be made of the filename and path (including drive letter) of the accessed file.

The best tool I’ve used for examination of Internet history records is Craig Wilson’s NetAnalysis. You can take a look/download a demo at www.digital-detective.co.uk

It also comes with a 'history extractor' which works on unallocated clusters. I used it recently on a case where live records = 5,000, and when I run the extractor the records increased to over 300,000, post dating the OS install and providing a wealth of information.

Andy

 
Posted : 24/09/2005 2:26 pm
(@ashay)
Posts: 6
Active Member
 

I am presuming that the OS is XP. If this is the case, consider doing the following.

Export the NTUSER file for the user, run WRA against the file and search using the Streams tab.

Do the same for the ShellBags.

Consider looking at the path Microsoft/Windows/Explorer/ComDlg32 and also Microsoft/Windows/Explorer/Recent Docs

If the OS is XP, consider exporting Restore Point NTUSER files, and running WRA over the drive for historic data. XP has a habit of compressing the Restore Points due to user configuration .If you are using forensic software the files metadata will be highlighted as Compressed, which means you will not be able to view the files. Essentailly a healthy NTUSER file will begin REGF

Just adding to what Andy mentioned, I would urge you to search across the UC of the drive for the file header of an LNK. If you discover the source of the images, this can be matched with the embedded metadata which will include an 8 byte source identifier.

If you dont have WRA send me an email to

ash368@btinternet.com

There is an accompanying PDF (2.3MB), mention the PDF in the post and I will forward this to you.

Caveat WRA source code was sold to Paraben earlier this year, so it is not avaiable from the old URL at Mitec. If anyone wants a copy of WRA just send an email to the above.

 
Posted : 24/09/2005 6:21 pm
Page 1 / 2
Share: