File000152
-
Upload
desmond-devendran -
Category
Technology
-
view
246 -
download
0
Transcript of File000152
Module XXXIX – USB Forensics
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
News: Taiwan on High Alert After Military Leak
Source: http://www.iol.co.za/
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
News: Boeing Worker’s Data Case Goes to Jury
Source: http://seattletimes.nwsource.com/
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Module Objective
• Universal Serial Bus (USB)• USB Flash Drive• Misuse of USB• USB Forensic• USB Forensic Investigation• Forensic Tools
This module will familiarize you with:
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Module Flow
Universal Serial Bus (USB) USB Forensic
USB Flash Drive
Misuse of USB
USB Forensic Investigation
Forensic Tools
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Universal Serial Bus (USB)
USB is the serial bus standard to interface devices to a host computer
It allows many peripherals to be connected to a host computer using a single standardized interface socket
It is generally used to connect computer peripherals such as mouse, keyboards, PDAs, gamepads and joysticks, scanners, digital cameras, printers, personal media players, and flash drives
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
USB Flash Drive
USB flash drive is the portable and rewritable data storage device integrated with a USB interface
It is supported by modern operating systems such as Windows, Mac OS X, Linux, and other Unix-like systems
The speed of USB 2.0 is to read up to 30 MB/s and write at about 15 MB/s
• Male type-A USB connector• USB mass storage controller — implements the USB host controller• NAND flash memory chip• Crystal oscillator — produces the device's main 12 MHz clock signal and
controls the device's data output through a phase-locked loop
There are four parts of a flash drive:
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Screenshot: USB Flash Drive
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Misuse of USB
• It is a crime in which critical information of the company may be leaked using USB flash drive
Data Theft:
• USB devices can be used to propagate and install malicious program such virus, Trojan, spyware, and rootkits which can damage information and other computer resources
Installing malicious program:
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
USB Forensics
• Find the date and time of the data theft • Know the person who has installed the malicious program • Collect the data stored in USB• Collect the information about the data leaked from the
computer • Trace the criminals who has done the crime using USB
flash drive
It helps the forensic investigators to:
USB forensics is the technique of recovering and analyzing digital evidence from a USB flash drive and affected computer in a forensically sound manner
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
USB Forensic Investigation
Secure and evaluate the scene
Document the scene
Image the computer and USB device
Acquire the data
Examine the computer Analyze the USB
Generate reports
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Secure and Evaluate the Scene
Ensure that only the authorized person handles the scene
Handle USB evidence properly to maintain physical evidence such as fingerprints
Interview the owner of the USB, ask for any security code or password to gain access to the contents in USB
Do not allow the suspects to handle the USB and the computer
Search surrounding area and rooms, other than where a device is found
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Document the Scene and Devices
Document the state of each device and computer that is synchronized with it
Record the location and condition of USB, computers, storage media, and other digital devices
Refer the non-electronics evidence such as invoices, manuals, and packaging material which may provide the information about USB capabilities and unlocking code
Document the date and time of the evidence collected
Photograph the crime scene including USB, cables, cradles, power connectors, and computer
Avoid touching the USB while photographing
Maintain a chain of custody
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Image the Computer and USB Device
Prepare the bit-by-bit copy of memory, configuration of the affected computer using the tool like Safe Back
Create the image of USB flash drive using the USB Image Tool 1.31
Use the hashing techniques such as MD5 to check the integrity of the imaged data
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Acquire the Data
Collect all the data from the USB image and computer devices
• Bad data Pro• Data Doctor Recovery
You can use these recovery tools to recover the deleted files:
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Check Open USB Ports
Option 1: Go to Device Manager
Open Port
Closed Port
In Registry Editor, locate and then click the following registry key:
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UsbStor
In the details pane, double-click Start
In the Value data box, 3 denotes enabled USB and other values indicates disabled USB
Option 2:
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Examine Registry of Computer: USBTOR
Footprints or artifacts are created in registry when a USB device is connected to the Windows system
Plug and Play (PnP) Manager queries the device descriptor in the firmware for information about the device
After the identification, registry key will be created beneath the following key:
•HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\USBSTOR
Sub key beneath this key look like:
•Disk&Ven_###&Prod_###&Rev_###
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Examine Registry of Computer: DeviceClasses
Navigate to the following key:
•HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceClasses
The value iSerialNumber is a unique instance identifier for the device
It is similar to the MAC address of a network interface card
ParentIdPrefix value can be used to correlate additional information from within the Registry
ParentIdPrefix determines the time when the USB device was last connected to the Windows system
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Examine Registry of Computer: MountedDevice
Path to the MountedDevice is:
•HKEY_LOCAL_MACHINE\System\MountedDevice
MountedDevices key stores information about the various devices and volumes mounted to the NTFS file system
Use the ParentIdPrefix value found within the unique instance ID key to map the entry from USBSTOR to the MountedDevices
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Generate Reports
Note the name of the investigator
List of evidence gathered
Documents of the evidence and other supporting items
List of tools used for investigation
Devices and set up used in the examination
Brief description of the examination steps
Details about the finding:
• Information about the USB data • Computer related evidence• Data and image analysis
Conclusion of the investigation
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
USB Forensic Tools: Bad Copy Prohttp://www.jufsoft.com/
Bad Copy Pro recovers the deleted files, formatted drive, or data loss due to damage, media error, and bad sectors of the USB flash drive
It is a safe data recovery software that performs read-only operations on the USB flash drive and saves the recovered files
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Data Doctor Recoveryhttp://www.datadoctor.in/
Data Doctor Recovery supports major USB device manufacturer’s Super flash, Kingston, Samsung, Transcend, Sony, and other latest series
The software is easy and simple to use providing user friendly interface
Features:
• Recovers lost files including jpg, jpeg, gif, bmp, mpeg, and other stored records
• Supports USB drive including pen drives, Zip drive, SD card, PC card, Flash memory etc.
• Scans and transports data to the safe location according to the preloaded file structure
• Recovers damaged data from any software Virus attack
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Data Doctor Recovery: Screenshot
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
USB Image Toolhttp://www.alexpage.de/
USB Image Tool is the freeware which can create images of USB memory sticks
• Creates image files of USB drives• Restores images of USB drives• Compressed image file format• Shows USB device information• Manages favorite USB images
Feature of USB Image Tool:
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
USB Image Tool: Screenshot
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
USBDeviewhttp://www.nirsoft.net/
USBDeview is a small utility that lists all USB devices that are currently connected to your PC or have been connected to it in the past
Along with the device’s name and description, it displays the serial number, date the device was added and last connected, VendorID, and other information
It can also be used to gather USB devices from a remote computer via command line
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
USBDeview: Screenshot
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Summary
USB is the serial bus standard to interface devices to a host computer
USB flash drive is the portable and rewritable data storage device integrated with a USB interface
USB forensics is the technique of recovering and analyzing digital evidence from a USB flash drive and affected computer under forensically sound conditions
Footprints or artifacts are created in registry when a USB device is connected to the Windows system
USB CopyNotify is a software utility that notifies when a USB Stick is being used on any of the PCs on the network
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
EC-CouncilCopyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited