GitBook: [master] 2 pages and 16 assets modified

forensics/basic-forensics-esp/windows-forensics/README.md

@@ -70,6 +70,18 @@ This information can be useful to recover those files in case they were removed.
 
 Also, the **date created of the link** file is the first **time** the original file was **first** **used** and the **date** **modified** of the link file is the **last** **time** the origin file was used.
 
+To inspect these files you can use [**LinkParser**](http://4discovery.com/our-tools/).
+
+In this tools you will find 2 set of timestamps: **FileModifiedDate**, **FileAccessDate** and **FileCreationDate**, and **LinkModifiedDate**, **LinkAccessDate** and **LinkCreationDate**. The first set of timestamp references the **timestamps of the link file itself**. The second set references the **timestamps of the linked file**.
+
+You can get the same information running the Windows cli tool: [**LECmd.exe**](https://github.com/EricZimmerman/LECmd)\*\*\*\*
+
+```text
+LECmd.exe -d C:\Users\student\Desktop\LNKs --csv C:\Users\student\Desktop\LNKs
+```
+
+In this case the information is going to be saved inside a CSV file.
+
 ### Jumplists
 
 These are the recent files that are indicated per application. It's the list of **recent files used by an application** that you can access on each application.
@@ -79,16 +91,50 @@ They can be created **automatically or be custom**.
 The **jumplists** created automatically are stored in `C:\Users\{username}\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\`.  
 The jumplists are named following the format `{id}.autmaticDestinations-ms` where the initial ID is the ID of the application.
 
-The custom jumlists are stored in `C:\Users\{username}\AppData\Roaming\Microsoft\Windows\Recent\CustomDestination\` and they are created by the application usually because something **important** has happened with the file \(maybe marked as favorite\)
+The custom jumplists are stored in `C:\Users\{username}\AppData\Roaming\Microsoft\Windows\Recent\CustomDestination\` and they are created by the application usually because something **important** has happened with the file \(maybe marked as favorite\)
 
-The **created time** of any jumlist indicates the **first time the file was accessed** and the **modified time the last time**.
+The **created time** of any jumplist indicates the **first time the file was accessed** and the **modified time the last time**.
 
-You can inspect the jumlists using [**JumplistExplorer**](https://ericzimmerman.github.io/#!index.md).
+You can inspect the jumplists using [**JumplistExplorer**](https://ericzimmerman.github.io/#!index.md).
+
+![](../../../.gitbook/assets/image%20%28478%29.png)
+
+\(_Note that the timestamps provided by JumplistExplorer are related to the jumplist file itself_\)
 
 ### Shellbags
 
 [**Follow this link to learn what are the shellbags.**](interesting-windows-registry-keys.md#shellbags)\*\*\*\*
 
+## Use of Windows USBs
+
+It's possible to identify that a USB device was used thanks to the creation of:
+
+* Windows Recent Folder
+* Microsoft Office Recent Folder
+* Jumplists
+
+Note that some LNK file instead of pointing to the original path, points to the WPDNSE folder:
+
+![](../../../.gitbook/assets/image%20%28487%29.png)
+
+The files in the folder WPDNSE are a copy of the original ones, then won't survive a restart of the PC and the GUID is taken from a shellbag.
+
+### Registry Information
+
+[Check this page to learn](interesting-windows-registry-keys.md#usb-information) which registry keys contains interesting information about USB connected devices.
+
+### setupapi
+
+Check the file `C:\Windows\inf\setupapi.dev.log` to get the timestamps about when the USB connection was produced \(search for `Section start`\).
+
+![](../../../.gitbook/assets/image%20%28490%29.png)
+
+### USB Detective
+
+\*\*\*\*[**USBDetective**](https://usbdetective.com/) can be used to obtain information about the USB devices that have been connected to an image.
+
+![](../../../.gitbook/assets/image%20%28480%29.png)
+
 ## Windows Events
 
 Information that appears inside Windows events:
@@ -218,6 +264,7 @@ In `SAM\Domains\Account\Users` you can obtain the username, the RID, last logon,
 
 ### Interesting entries in the Windows Registry
 
-#### \*\*\*\*
+{% page-ref page="interesting-windows-registry-keys.md" %}
+
+
 
-* 

forensics/basic-forensics-esp/windows-forensics/interesting-windows-registry-keys.md

@@ -104,7 +104,72 @@ Desktop Access:
 * `NTUSER.DAT\Software\Microsoft\Windows\Shell\BagMRU`
 * `NTUSER.DAT\Software\Microsoft\Windows\Shell\Bags`
 
-To analyze the Shellbags you can use [**Shellbag Explorer**](https://ericzimmerman.github.io/#!index.md) ****and you will be able to find the **MAC time of the folder** and also the **creation date and modified date of the shellba**g which are related with the f**irst time the folder was accessed and the last time**.
+To analyze the Shellbags you can use [**Shellbag Explorer**](https://ericzimmerman.github.io/#!index.md) ****and you will be able to find the **MAC time of the folder** and also the **creation date and modified date of the shellbag** which are related with the **first time the folder was accessed and the last time**.
+
+Note 2 things from the following image:
+
+1. We know the **name of the folders of the USB** that was inserted in **E:**
+2. We know when the **shellbag was created and modified** and when the folder was created an accessed
+
+![](../../../.gitbook/assets/image%20%28475%29.png)
+
+## USB information
+
+### Device Info
+
+The registry `HKLM\SYSTEM\ControlSet001\Enum\USBSTOR` monitors each USB device that has been connected to the PC.  
+Within this registry it's possible to find:
+
+* The manufacturer's name
+* The product name and version
+* The Device Class ID
+* The volume name \(in the following images the volume name is the highlighted subkey\)
 
 
 
+![](../../../.gitbook/assets/image%20%28489%29.png)
+
+![](../../../.gitbook/assets/image%20%28481%29.png)
+
+Moreover, checking the registry `HKLM\SYSTEM\ControlSet001\Enum\USB`  and comparing the values of the sub-keys it's possible to find the VID value
+
+![](../../../.gitbook/assets/image%20%28476%29.png)
+
+
+
+With the previous information the registry `SOFTWARE\Microsoft\Windows Portable Devices\Devices` can be used to obtain the **`{GUID}`**:
+
+![](../../../.gitbook/assets/image%20%28486%29.png)
+
+### User that used the device
+
+Having the **{GUID}** of the device it's now possible to **check all the NTUDER.DAT hives of all the users** searching for the GUID until you find it in one of them \(`NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\Mountpoints2`\)
+
+![](../../../.gitbook/assets/image%20%28485%29.png)
+
+### Last mounted
+
+Checking the registry `System\MoutedDevices` it's possible to find out **which device was the last one mounted**. In the following image check how the last device mounted in `E:` is the Thoshiba one \(using the tool Registry Explorer\).
+
+![](../../../.gitbook/assets/image%20%28483%29.png)
+
+### Volume Serial Number
+
+In `Software\Microsoft\Windows NT\CurrentVersion\EMDMgmt` you can find the volume serial number. **Knowing the volume name and the volume serial number you can correlate the information** from LNK files that uses that information.
+
+Note that when a USB device is formatted:
+
+* A new volume name is created
+* A new volume serial number is created
+* The physical serial number is kept
+
+### Timestamps
+
+In `System\ControlSet001\Enum\USBSTOR{VEN_PROD_VERSION}{USB serial}\Properties{83da6326-97a6-4088-9453-a1923f573b29}\` you can find the first and last time the device was connected:
+
+* 0064 -- First connection
+* 0066 -- Last connection
+* 0067 -- Disconnection
+
+![](../../../.gitbook/assets/image%20%28488%29.png)
+