Announcement

Collapse
No announcement yet.

Attaching evidence of User to USB device

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Attaching evidence of User to USB device

    Hey guys and girls.

    Im looking for the best way to attach a user to a historically connected USB Device.

    User logon-logoff was not audited so that rules that out.
    computer has 7 Local users.

    Thanks for the help in advance

  • #2
    This is a common question, but unfortunately there is no "one size fits all" answer. Oftentimes, general investigative skills are necessary in order to scale down and quickly isolate a particular group of potential users. Generally speaking, if using OSForensics, you might start with the User Activity scan. This will generate a list of user-controlled artifacts in a date-descending view. There is a "USB" category which will produce a historical list of attached USB devices. You can use this category to quickly identify the USB in question. Then, you can jump to the date/time range of the USB connection in the comprehensive list view. The USB category will include USB artifacts found in the SYSTEM hive under the Current Control Set, as well as the setupapi.dev logs, and the "Microsoft-Windows-Partition%4Diagnostic.evtx" event log, which records each instance of a USB connection and disconnection. Unfortunately none of these artifacts by themselves are tied to a particular user account however, you will oftentimes find other artifacts immediately preceding or proceeding the USB connection that can be attributed to a particular user account. You stated there were 7 users on the system. I'm assuming each had an individual user account. If so, this shouldn't be too difficult to determine which user account was responsible for the USB connection. For instance, launch OSForensics and run the User Activity scan. Review the historical data and find a date/time your USB in question was connected by reviewing the USB category and make note of the connection date and time. Next, return to the main comprehensive view and locate the USB artifact by scrolling down to the date and time of the USB connection. Once there, simply review the artifacts surrounding the USB connection. Most likely, you'll find user activity which can be attributed to a specific user, shortly before and after the device connection. (See attached screenshot for an example.)
    Attached Files
    - Jeff S.
    PassMark Software

    Comment


    • #3
      Sorry about missing a lot of information I was writing this post in a hurry before leaving the office.

      I have been working with OSforensics for 2 years now and i am familiar with the software and thankful for even the small updates!
      This particular case there is hardly any EVTX logs on Audit therefore even logon ID doesn't show up only failed login attempts.

      Of course i know how to find all the USB connections even without OSF just by using the registry.
      because this case is abit different and is missing a few logs the usual methods of attaching a user to the USB is harder (sorry for not mentioning it)

      the PC has 7 local users on it and even if I go to NTUSER of each one I still cant find any ID that is the same as in the SYSTEM registry.

      Im looking for abit more ideas of ways I didn't think of so you were 100% right in any case I do exactly what you mentioned.

      But in this case ill need some new ideas =]

      Thank you

      Comment


      • #4
        Do you have the USB in question? If so, I'd start there. Connect to your machine; add the physical device to your OSF case; open it in the Raw Disk Viewer, then perform text search for the user accounts. You likely could eliminate some that may have never connected to the USB or perhaps be able to at least identify a few that had connected the device. Best case scenario, you find a match for only 1 user account. See screenshot.

        I'm afraid that without having a considerable amount of specific data (too much for back and forth through the forum), concerning your exact scenario, this might be an impossible task to handle via the forum. For instance, are you working from a forensic disk image or a partition image, or perhaps a logical image of just the user profiles, or maybe even just a collection of certain files from each user account? What version of Windows? Is this a personal computer or work computer? If work computer, is there an IT admin that could possibly be of any help? Have you talked to that person? Have the 7 potential users been interviewed? What is actually of interest concerning this USB? Was it copying (stealing) files to the USB by an individual? Executing a certain application from the USB? Moving files from the USB to the user account? Were anti-forensics applications found and were they recently ran? If so, who's account? You stated you have the NTUSER.dat file from each of the 7 user accounts? Open each in the Registry Viewer in OSF and click the "Generate Report" button. Review the reports. LOTS of potentially helpful info should be there. Are there any Shadow Copies available on the machine? If so, analyze them with our Shadow Copy Analysis module. Try and locate missing logs or evidentiary files in older snapshots.
        Attached Files
        - Jeff S.
        PassMark Software

        Comment


        • #5
          One more thing... If an application was launched from the USB in question, review Prefetch artifacts and find when the app was last ran. Then review the mapped files and directories. You should be able to get the volume serial number of the USB device. You also should be able to find some other artifacts that will probably include file paths and will see the user account that was logged in at the time. If you have the USB drive, you can then look at the USB physical disk in the Raw Disk Viewer, and match the serial number. This way you could in theory prove the application was launched from that drive and when, and also make a pretty good determination which user was responsible. See attached.

          Click image for larger version

Name:	USB Activity - Prefetch.png
Views:	360
Size:	25.7 KB
ID:	49857

          Click image for larger version

Name:	USB Activity - Raw Disk Viewer.png
Views:	353
Size:	21.8 KB
ID:	49859


          Attached Files
          - Jeff S.
          PassMark Software

          Comment

          Working...
          X