Archive for windows 10

Introducing USB Detective

USB device forensics can be difficult.  It is fraught with a number of caveats.  The data points that can be relied upon vary based on the specific version of Windows, the type of USB device, the type of drive on which the operating system is installed, and more.  Compounding these, Windows 10 further complicated things with the device cleanup process, which removes USB device-related records from locations that have long been relied upon by tools and examiners.  To help combat these issues and more, I developed USB Detective.

For those that want to skip the details below, USB Detective can be downloaded from  There are two versions of USB Detective: community and professional.  The community version can be freely downloaded and the professional version can be purchased from the site.  Note that you must have .NET version 4.6 or higher installed to run USB Detective!

USB Detective aims to ease the burden on the examiner by visually distinguishing attributes with inconsistent timestamps from those with multiple corroborating sources.  This is accomplished by leveraging numerous data points for the identification of USB device attributes such as the first connected and last connected time.  USB Detective organizes its findings in a way that allows for easy reporting to non-technical individuals or in-depth analysis and reporting for examiners.  The source of every value reported by USB Detective is also maintained to allow the examiner to verify and document the results.

Timestamp (In)Consistency

Associating a single data point with a specific event, such as a device connection or disconnection, can be problematic if the examiner ignores the context of the data point.  For example, the Enum\USB subkey hierarchy in the SYSTEM hive is a well-known location for, in some cases, identifying the last time a USB device was connected to a system.  However, this subkey hierarchy can be updated through events that result in the Last Write time of all subkeys in the hierarchy being updated to the same date and time.  This is a well-known behavior, but one that an examiner must be cognizant of during analysis.  In many cases, there are other data points available that accurately reflect the targeted event.

Investigating multiple data points known to be tied to the target event allows the examiner to identify corroborating timestamps and determine the overall consistency across the data points.  For example, an examiner taking this approach may determine that four out of five of the data points (subkeys, values, log entries, etc.) known to be associated with the target event are the same or within a couple of seconds of one another.  This would likely increase the examiner’s confidence in his or her findings and help to identify unreliable data points on the system under investigation.

USB Detective takes into account multiple data points that are available for some of the key USB device attributes such as first connected, last connected, volume name, and more.  After compiling all queried timestamps associated with a specific event, the gathered timestamps are compared and the consistency of the reported timestamp is displayed to the user via USB Detective’s consistency level color-coding.  This allows the examiner to quickly identify the specific attributes that have inconsistent timestamps and those that have multiple sources of corroborating data.

USB Detective Results Grid

Windows 10 Woes

Windows 10 (and some earlier versions) removes some of the most well-known USB device artifacts through its “device cleanup” procedure for devices that have not been recently used by the system.  David Cowen reported this in April last year and described a scheduled task that will remove many common USB device registry subkeys during the process, including those in USBSTOR, USB, WPDBUSENUM, and STORAGE.  In other words, USB device entries in these locations are removed during the device cleanup procedure.  I have observed that a similar action occurs during Windows upgrades, such as upgrading to the Fall Creator’s edition of Windows.  During the upgrade, USB storage device-related entries will be removed from many of the well-known locations, including the four subkeys mentioned earlier.  This is obviously problematic when it comes to USB device analysis.  If a tool or examiner is relying only on the common USB device locations, information about many devices could be missed.

Before Windows Upgrade After Windows Upgrade

In addition to the common areas such as USBSTOR, USB Detective probes many other locations – including some that are not currently covered by the device cleanup procedure performed by Windows.  In many cases, the last disconnect time of devices that have been cleared by the device cleanup procedure will still be available (in addition to device serial, description, volume name, and more).  The date/time that a device was removed via the device cleanup procedure is also identified and reported by USB Detective.  Knowing when a device was removed by the device cleanup procedure can help to provide clarity to the examiner with regard to why certain information about some devices is unavailable.  If multiple versions of the registry hives (including amcache hives) are available from volume shadow copies or other means, they can all be fed into USB Detective in order to build a more complete picture of USB device activity on a system.

USB Detective aims to simplify the USB device analysis process by identifying USB device data from dozens of locations, reporting key USB device attributes, and highlighting conflicting and corroborating data points.  There are many additional features not mentioned here that are currently available in USB Detective as well as many others on the road map for later release.  To learn more about USB Detective or to try it out, visit

Amcache and USB Device Tracking

Eric Zimmerman recently posted about updates to the amcache in Windows 10.  There are numerous additions to the new amcache format, including information about application shortcuts, device containers, and more.  This post is focused on the new information concerning storage devices tracked in the amcache, specifically in the Root\InventoryDevicePnp key.

Some of the useful bits of data that can be found through analysis of the amcache include device serial numbers, descriptions (e.g. FriendlyName-like values), volume names, VID/PID data, and more.  When a USB storage device is connected to a system, multiple subkeys in the amcache are created under Root\InventoryDevicePnp.  The following four keys have been observed to be associated with a device connection:

  1. swd/wpdbusenum/_??_usbstor#disk&ven_{manufacturer}&prod_{model}&rev_{rev}#{S/N or UID}#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} (WPD class subkey)
  2. usbstor/disk&ven_{manufacturer}&prod_{model}&rev_{rev}/{S/N or UID} (diskdrive class subkey)
  3. storage/volume/_??_usbstor#disk&ven_{manufacturer}&prod_{model}&rev_{rev}#{S/N or UID}#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} (volume class subkey)
  4.  usb/vid_{VID}&pid_{PID}/{S/N or UID} (USB class subkey)

Each of these four subkeys is created under Root\InventoryDevicePnp and will hold information about a connected device, with some information duplicated across two or more of the subkeys.  The Container ID of the device is present in each of the subkeys and can be used to easily link the information from each subkey.  The Container ID is helpful in tracking a device across other artifacts on a system as well since it is present in the USBSTOR subkey, the DeviceContainers subkey, and more.  Of the four subkeys listed above, the WPD class and diskdrive class subkey appear to contain the most useful information for identifying and profiling a USB device.

WPD Class Subkey

The WPD class subkey contains information such as the manufacturer, model/description, and the volume name/label of the device. Interestingly, I’ve seen instances in my testing where the volume name of a device is populated in the WPD class subkey when it is not available in other locations that it often exists (e.g. Windows Portable Devices key in the SOFTWARE hive).  This alone makes the WPD class subkey worth checking in order to help build a more complete profile of a USB device.

WPD Class Subkey

Diskdrive Class Subkey

The diskdrive class subkey contains information such as a description of the device (e.g. TOSHIBA External 3.0 USB Device) and the device serial number. The device serial number, along with VID/PID data, can be obtained from the ParentId value as well as the name of the subkey itself.  An example of a diskdrive class subkey name is: “usbstor/disk&ven_kingston&prod_dt_101_g2&rev_1.00/001372995dddcb6185180cdb&0”.

diskdrive Class Subkey

In my testing, the LastWrite time of all four class subkeys in the InventoryDevicePnp key is the same and is updated when a device is first connected, but it also appears to be updated through events outside of device connection/disconnection.  As such, the LastWrite time of these subkeys does not appear to be a reliable indicator of a connection or disconnection event.  I’ve also found that the subkeys related to some USB devices are quickly rolled out of the InventoryDevicePnp key.  In some instances, the most recently connected USB device was deleted after a system restart.  In other cases, the subkeys remained in the InventoryDevicePnp for some time.

The amcache doesn’t store the depth of USB device information found in the SYSTEM hive or other well-known locations, but it provides an additional data point that helps to corroborate and/or supplement data harvested from other areas.  For example, the Description value of the WPD class subkey can be used to gather the volume name/label of a device that was discovered through analysis of the SYSTEM hive by using the device serial or Container ID to correlate the two data points.  This method of analysis – using multiple data points across a system – will help to build a more complete profile of connected devices as well as increase your overall confidence in your findings.

Fun with Recycle Bin $I Files & Windows 10

A few weeks back, I found myself in need of a free tool to parse $I files from Windows Vista+ recycle bins.  For anyone needing a refresher, $I files store metadata regarding the act of sending a file to the recycle bin in Windows Vista and later.  These $I files essentially replace the functionality of the INFO2 file used in Windows XP and store information such as the name and original path of a file before it was sent to the recycle bin as well as the time the file was sent to the recycle bin.  The file format itself is trivial to manually parse in a hex editor, but I wanted to be able to demonstrate the value of the $I files to students in a class I was teaching without the need for a hex editor.  I also wanted the students to be able to easily parse these files on their own.  I was aware of a couple of free tools that parse $I files, but couldn’t find one that was exactly what I was looking for – so I decided to write one and provide it to my students. I doubt that I’m the only one to encounter this, so I’ve released this simple $I file parser in case someone else finds that they have a need for it.  The link is at the bottom of this post for those interested.

One of the intriguing things I came across in writing this tool is that $I files from Windows 10 recycle bins vary slightly from those in Vista through 8.1.  The change is not significant, but it is enough to potentially throw off some $I file parsers.  The slight change also provides us with the ability to distinguish between $I files originating from a Windows 10 system and those originating from a Vista/7/8/8.1 system.  This piece of information could be important in some instances.  For example, if you encounter an $I file in the unallocated space of a Windows 10 system, you could determine if that file was an artifact from a previous non-Windows 10 installation.  Given the ability to distinguish Windows 10 $I files from previous versions, I’ve included a version field in the output of my $I file parser so that this information is reported.The difference I’ve noted between the Windows 10 $I file structure and that from previous versions of Windows is detailed below.

$I structure prior to Win 10

Windows 10 $I structure





As you can see, the only structural change in the Windows 10 version appears to be the addition of the file name length field at offset 24.  This will typically result in $I files from Windows 10 systems being smaller than in prior versions since the $I file is only as large as it needs to be.  In prior versions, each $I file was a static 544 bytes.  While not structural, another change can be found in the header/version field.  The header field for Vista, 7, 8, and 8.1 is 0x01, while this field is 0x02 for Windows 10.  This makes it very easy to distinguish between the two versions when parsing.

For those interested, the link to download my $I file parser can be found on the download page here.