The problem with this is that the value is not coming from under the SCSI key in the registry (although it could).Īs an aside, it might come as a surprise to many forensicators that the USBSTOR key does NOT contain all USB devices that have been attached. I have also now seen the value from above under serial number referred to as a “SCSI serial number”. a device-defined index of the string descriptor that provides a string that contains a manufacturer-determined serial number for the device.” You will see in the following research that they are NOT reporting the “manufacturer-determined serial number”. Clearly, what we have been calling the serial number does not conflate with what the identification in Powershell calls a serial number.Īs if that wasn’t confusing enough, according to Microsoft,, the string listed above under pnpdeviceid is also identified as an “ iSerialNumber”, and defined as, “. In the diagram below, a command in Powershell lists some values regarding the above two USB devices. As you can see, this can become confusing! Oddly enough, in the places where they call this the Product ID, they identify a different value as the Serial Number. As it turns out, Microsoft themselves report that this is variously an “iSerialNumber”, or a “Product ID”. Unfortunately, as with many things in forensics, the devil is in the details. It has long been held (and reported) that this value is the serial number of the device. After identifying the device Vendor and Product, we proceed to the subkey of that key, and we see the values as shown in the diagram below. We have often started in the USBSTOR key, and then drilled down to identify the USB device. The issue has to do with incorrect, inconsistent, and poorly documented nomenclatureįor anyone who has been doing forensics for any period of time, you will be familiar with the location of USB device artifacts in the registry. Unfortunately, this evidence often can only withstand scrutiny in the absence of the USB devices being reported. The notion that we can determine what USB devices have ever been attached to a system even though the devices are no longer present, is astonishing to the uninitiated. Remember that usually, USB investigation is happening in the complete absence of any of the USB devices being investigated. When the many, disparate breadcrumbs of usage are pulled together in a coherent assemblage of user activity, the results can be shocking in their clarity. The difficulty comes in attempting to make sense of all this data. Thank you to Daniel Dickerman and Chad Tilbury for initially sending me down this rabbit hole!Įvidence surrounding the use of USB devices is an often sought-after forensic treasure trove, due to its verbosity in the operating system, as well as the Windows Registry. Immediately apply the skills and techniques learned in SANS courses, ranges, and summits
0 Comments
Leave a Reply. |