USB Devices in Windows Forensic Analysis

Parsing SetupAPI log for fun and profit!

USB device history can be a great source of evidence during a forensic analysis, when an examiner needs to determine if an external device was connected to a system and how USB devices have been used on a given system.

USB device analysis can vary depending on the Windows version and the type of USB device connected: the type of device will dictate which drivers have been installed on the system and how Windows handles the device.

A great source of informations could be the setupapi.log (for Windows Xp/2000/2003) and the setupapi.dev.log (on Windows Vista/7/8).

setupapi.log – Windows XP/2000/2003

Starting with Windows 2000 and then continuing with Windows XP and 2003 the installer system began logging for debug and troubleshooting purposes all of the drivers it loaded for devices.

The log was called setupapi.log and located under %systemdrive%\Windows (more information on this MSDN page: http://msdn.microsoft.com/en-us/library/windows/hardware/ff550882(v=vs.85).aspx)

For more information about interpretation of this log please refer here:
http://msdn.microsoft.com/en-us/library/windows/hardware/ff547657(v=vs.85).aspx

setupAPI.dev.log – Windows Vista/7/8/10

Starting with Windows 7, the setup service log was split into two logs, both in %systemdrive%\windows\inf:

  • setupAPI.dev.log – Device and driver installations
  • setupapi.app.log – Application installations

The MSDN specification for these two logs can be found here: http://msdn.microsoft.com/en-us/library/windows/hardware/ff550887(v=vs.85).aspx

The device log is similar to the prior version.

In this logfiles are stored all avents related to drivers and devices loaded onto the system with timestamps and which drivers were loaded.

They allows to determine:

  • When external devices were plugged in for the first time
  • When a malicious driver was loaded onto a system
  • What drivers were loaded for an unknown device to determine its functionality
  • Proving a device was successfully installed and accessible

How read this logs?

Below a typical example of a text log section that the Plug and Play (PnP) manager created to log entries that pertained to the installation of a PCI device.

>>> [Device Install - PCI\VEN_104C&DEV_8019&SUBSYS_8010104C&REV_00\3&61aaa01&0&38]
>>> 2005/02/13 22:06:20.000: Section start
 ndv: Retrieving device info...
 ndv: Setting device parameters...
 ndv: Building driver list...
... 
... additional section body log entries, which are not shown
... 
<<< [2005/02/13 22:06:28.109: Section end]
<<< [Exit Status(0x00000000)]

In the section header, the section_title field is “Device Install,” the instance_identifier field is the device instance identifier “PCI\VEN_104C&DEV_8019&SUBSYS_8010104C&REV_00\3&61aaa01&0&38,” and the time_stamp field is “2005/02/13 22:06:28.109:.”

In the section footer, the status_value field is “0x00000000” and the time_stamp field is “2005/02/13 22:06:20.000:.”
Only the first three section body log entries are included in this example.

The event level for this example was set to TXTLOG_DETAILS and all category levels were enabled for this example.

For more information, please refers to this Miscrosoft page: https://docs.microsoft.com/it-it/windows-hardware/drivers/install/format-of-a-text-log-section


But, are there some tools to automate this process?

Yes, here a brief list!

usbdeviceforensics

https://github.com/woanware/usbdeviceforensics

Developed by Mark Woan

usbdeviceforensics is a python script to extract numerous bits of information regarding USB devices. It initially used the information from a SANS blog (Rob Lee) post to retrieve operating system specific information.

Windows-7-SetupAPI-Parser

https://github.com/djacobs24/Windows-7-SetupAPI-Parser

Developed by Damian Jacobs

This is a Python 3 script that parses a Windows 7 setupapi.dev.log file for USB device install dates. It also searches http://www.linux-usb.org/usb.ids for the vendor and product ID of the USB devices that it finds.

FireEye Highlighter

https://www.fireeye.com/services/freeware/highlighter.html

Highlighter is a free utility designed primarily for security analysts and system administrators.

Enscript – setupapi.dev.log

https://www.guidancesoftware.com/app/Parse-setupapi-dev-log-for-USB-info-v-

EnCase EnScript was written to parse the Vista/7 ‘setupapi.dev.log’ for USB events.

 

References

 

Comments