Jump to content











Photo
- - - - -

Lokeyte


  • Please log in to reply
1 reply to this topic

#1 shtanto

shtanto
  • Members
  • 1 posts
  •  
    Ireland

Posted 20 November 2009 - 12:26 AM

Most of the posters here are aware that the registry in windows holds a wealth of information about pretty much everything on your PC.

USB devices are no exception. By looking through the registry for entries with USBSTOR in them, we can home in on USB specific information.

Specifically, by looking under SYSTEM>ControlSet001>Control>DeviceClasses, we can find that most USB keys, even those of identical make and model, have unique IDs.

If you were to misplace your USB key at college or at work, theoretically, you could use the ID to find it.

In a perfect scenario, you have full system admin level access and your buddy Karl loves showing off the quirky clips of the day he's captured on the CCTV systems.

All that's involved to find our key is a registry query to the every machine on the network. We can then look at all the keys that come back and figure out a way to get timestamps. After we know the where from the machine IP and the when from the timestamp, Karl can look up the CCTV records and find our culprit.

If we can't find a timestamp, we could use a few simple data mining tricks to work out a usage pattern. People tend to be creatures of habit, relying on routines to keep things simple. I'm willing to bet that posters who reply haven't changed the way they take their tea or coffee in a very long time!

Repliers are invited to discuss how a small program could be created to find lost USB keys based on the above scenario. Worst case scenarios are also open for discussion, such as basic user level access and heavy network restrictions.

#2 was_jaclaz

was_jaclaz

    Finder

  • Advanced user
  • 7100 posts
  • Location:Gone in the mist
  •  
    Italy

Posted 20 November 2009 - 10:17 AM

Specifically, by looking under SYSTEM>ControlSet001>Control>DeviceClasses, we can find that most USB keys, even those of identical make and model, have unique IDs.

Actually ControlSet001 is not a definite representation of the current control set, CurrentControlSet is :cheers:.

Similar programs already exist, and also provide source code.

Here:
http://sourceforge.n...bhistory/files/

All it is needed is to make it scan network machines, though it may take a looong time.

Maybe doing a pre-scan of setupapi.log for the vid&pid may be faster? :w00t:

http://www.forensics...History_Viewing

JFYI:
http://scissec.scis...._Windows_XP.pdf

Unrelated, but not much :cheers:, hoping that people are not as bad as they are usually depicted:
http://dailycupoftec...usb-drives-now/
http://www.dailycupo...e-ask-for-help/
http://www.edugeek.n...k-reminder.html
http://www.bgreco.net/reminder.php
http://www.fossoft.c.../usw/index.html

:cheers:

jaclaz




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users