### Heavy USB Forensics
In this blog post, we will delve into USB forensics, covering approximately 95% of the essential knowledge and techniques that a digital forensics examiner would require when investigating USB-related cases.
Our exploration will be guided by [Ahmed Hashad's](https://www.linkedin.com/posts/ahmedhashad_usb-insider-threat-challenge-activity-7323344613014941696-rxeK?utm_source=share&utm_medium=member_desktop&rcm=ACoAADemZ3EBD1WuSvEvU-UZGgKkIijXrajtVIs) USB Forensics Challenge, providing a practical and comprehensive learning experience.
#### USB insider threat challenge.
##### To begin,
I will list all the questions from the challenge before we dive into the analysis. All of the questions in this challenge are related to USB forensics, and this blog will focus entirely on answering them.
```
1. What is the computer name?
2. what is the drive letter assigned to the USB drive ?
3. what is the make and serial number of the connected USB stick ? answer format (make model , serial number)
4. what are the filenames of the 3 files copied to USB? answer format (filename1.extension, filename2.extension, filename3.extension )
5. what is the MFT record number of the PPTX file from its original path on the unlocked computer?
6. Referring to the 3 files copied, what is the parent path of the files? (full path)
7. Examining the provided evidence, how many times Admin user click on start button?
8. Which user was logged in when the usb drive connected, please specify also the volume GUID of the flash drive? answer format (username,volumeguid) example (john,{5d6f-d5f5-d5f5-d5f5})
9. What is the last removal date and time of the USB drive? answer format (date MM-DD-YYY,Time 24Hr 00:00:00) example (05-08-1990,23:25:15)
10. What is the number of partitions and total sectors of every partition on the connected flash drive? answer format (number,number) example (3,5698458455)
11. What is the file system ID and type (e.g., FAT32, NTFS) of the USB drive? answer format (0x00,type) example (0x05,FAT16)
12. What is the volume serial number (VSN) in hex of the USB drive? answer format (only hex values without space) example (11CD11CD11CD11CD11CD11CD)
```
##### Challenge Files: Triage (acquired using KAPE)
#### Q2. what is the drive letter assigned to the USB drive ?
Let’s begin by exploring the key locations within the system where USB-related data can be extracted during a forensic investigation.
##### 1- Registry
Location: C:\Windows\System32\config\
1. `SYSTEM\CurrentControlSet\Enum\USBSTOR` : will give you *Vendor, product, version* in this format `Ven_XXX Prod_YYYY and Rev_ZZZZ` . It will also give you *Serial Number, Connection Times*. This information is generally retained for `~30 days` after the device was last connected.
2. `SYSTEM\MountedDevices` : will give us Drive Letter, and Volume GUID.
3. `SOFTWARE\Microsoft\Windows Portable Devices` : will give us *Vendor, product, version*, and friendly name.
4. `NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\Mountpoints2` : while searhing with the Volume GUID as a key in that path, we can know which user Used the USB.
##### 2- Event Logs
Location: C:\Windows\System32\winevt\logs\
- **System.evtx** : `20001` ID - Plug and Play driver install attempted.
- **Security.evtx** :
- `4663` ID - (Within the Advanced Audit Policy Configuration) Attempt to access removable storage object.
- `4656` ID - (Within the Advanced Audit Policy Configuration) Failure to access removable storage object.
- `6416` ID - (Within the Advanced Audit Policy Configuration) A new external device was recognized on system.
>Note: Some of the Event IDs referenced above may not be present in the provided evidence.
- **Microsoft-Windows-Partition%4Diagnostic.evtx** : Will give us *serial number, Manufacturer, Model, PartitionTable, MBR, VBR.*
Here is an example that demonstrates the Volume Boot Record (VBR) section.
##### 3- **JumpLists**
Location: %USERPROFILE%\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations
- Will give us *Device Type, Volume Label, Volume Serial Number (part of it), Drive Letter, Files opened on that USB.*
##### 4- setupapi.dev.log
Location: C:\Windows\inf\setupapi.dev.log
- will give us *serial number, connection times, vendor, product, version.*
Now, let’s refocus and proceed with answering the questions.
**Answer:** The drive letter is `G`.
---
#### Q3. what is the make and serial number of the connected USB stick ?
By examining the **USBSTOR** registry key or even the **partition diagnostic event log**, you can retrieve the serial number of connected USB devices = `E0D55EA493BD18A179C50557`. And the make is `Kingston`.
However, it's important to note that some sources suggest the serial number in the registry, or within the event log, is not necessarily unique to the USB device itself. Instead, it tends to be unique per connection. This means that when multiple USB devices are connected, they may appear to share the same serial number in the registry, as the serial number is tied to the connection rather than the device itself.
Despite this, we can still rely on the serial number as a unique identifier for each connection.
Source: [3MinMax-USB-Part2](https://www.youtube.com/watch?v=76bvtu9-9-g&t=190s) , [3MinMax-USB-Part3](https://www.youtube.com/watch?v=mQkiZt8fgDM), [3MinMax-USB-Part4](https://www.youtube.com/watch?v=vIcPqxinKsk)
**Answer:** `Kingston, E0D55EA493BD18A179C50557`
---
#### Q8. Which user was logged in when the usb drive connected, please specify also the volume GUID of the flash drive?
- `Admin` (our user that we find the Volume Guid of USB in his mountpoints key), `{0eb1efce-1bc4-11f0-bdde-000c29989bd3}` is the Volume GUID.
**Answer:** `Admin,{0eb1efce-1bc4-11f0-bdde-000c29989bd3}`
---
#### Q9. What is the last removal date and time of the USB drive?
Checking `USBSTOR` key in registry.
**Answer:** `04-17-2025,19:44:12`
---
#### Q10. What is the number of partitions and total sectors of every partition on the connected flash drive?
Well, we now will check `Microsoft-Windows-Partition%4Diagnostic.evtx` file as it contains all what we need for last questions.
- Partition Table: Very important table, it contains the Partition Type, Bootable Flag, Starting LBA Address (the starting sector of the file system), Size of the partition in sectors.
- MBR (Master Boot Record): This is one of 2 boot sectors type, it contains Boot code,partition Table, Disk Marker.
- VBR (Volume Boot Record): This is the first sector of the file system, we can go to it through LBA address.
As it is shown, we have only 1 VBR (VBR0) meaning that we have only one partition.
So, we just need to extract MBR, and we will find the size in sectors.
1. skipping the boot code (446) bytes. Then the size is 12-15.
size = C0 7F 37 07 == 07377FC0 == 121077696
**Answer:** `1,121077696`
---
#### Q11. What is the file system ID and type (e.g., FAT32, NTFS) of the USB drive?
File sysetm type can be get from (4-4) byte in partition table.
partition type = 0x07 = NtFS
**Answer:** 0x07,NTFS
---
#### Q12. What is the volume serial number (VSN) in hex of the USB drive?
Volume serial Number exists on jumplist as i said, but not in a complete form.
We can get the VSN from the VBR.
VSN = C6 CD A7 E6 11 A8 E6 B8 == B8E6A811E6A7CDC6
The VSN is B8E6A811E6A7CDC6, but the answe in the challenge needs as it from the VBR.
**Answer:** `C6CDA7E611A8E6B8`
#### References:
1. https://dfir.pubpub.org/pub/h78di10n/release/2
2. https://www.youtube.com/@SANSForensics
3. https://hatsoffsecurity.com/2014/06/18/usb-forensics-final-part-aka-pt-7-device-firstlast-plugged-in/
<iframe src="https://giphy.com/embed/FuOQKvYK5YdEiijNnB" width="480" height="230" style="" frameBorder="0" class="giphy-embed" allowFullScreen></iframe><p><a href="https://giphy.com/gifs/LevelInfinite-game-gaming-arena-of-valor-FuOQKvYK5YdEiijNnB"></a></p>
Sign in with Wallet
Connect another wallet