USB Anti-Forensics

by briatych

Disclaimer:  The information provided in this article is provided for educational purposes only; please do not use this information for illegitimate exploits.  This article will show you how to eliminate USB traces for Windows 2000 and Windows XP machines.

During criminal investigations, forensic examiners commonly analyze USB activities.  In fact, this sort of analysis is probably one of the very first procedures an investigator will perform during an investigation.

When an USB removable device is connected to a system, information about that device is left in log files and in Windows Registry entries, making very it easy for investigators, with or without forensic software, to identify USB devices such as flash drives, hard drives, iPods, and other electronic devices and for them to trace USB activity.

When a device is connected, the Windows Plug-and-Play Manager queries the device's firmware and records the manufacturer information into the registry.  This is done in order to locate the proper device driver.  This process creates several artifacts which the forensic examiner can later discover.

First, the OS records this information in the SETUPAPI.LOG located in the operating system's default installation directory C:\WINNT\SETUPAPI.LOG on Windows 2000 C:\Windows\SETUPAPI.LOG on Windows XP.

Second, the OS will create a registry key entry under the:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR

In addition, event log entries are recorded in the Event Viewer.

For Windows 2000 machines, event IDs 134, 135, and 160 are associated with USB removable devices.

Event ID 134 is recorded when a USB device is connected to the computer, Event ID 135 is recorded when a USB device is disconnected from the computer, and Event ID 160 is recorded when a USB device is disconnected from the computer using the "Unplug" or "Eject Hardware" feature.

Additionally, some system (.SYS), dynamic link library (.DLL), and executable (.EXE) files are also accessed, leaving remnants of USB activity throughout the system.

From time-to-time, and for legitimate security reasons, a user may need to eliminate USB traces from a computer system.  If you find yourself in this situation, the best way to go about doing this is described as follows:

1.)  Open up Windows Event Viewer.  Right-click on the "System Log" and select "Clear All Events."  Since you are already there, you might as well clear out the Application and Security Logs.

2.)  Locate the SETUPAPI.LOG file.  Make sure not to delete this file; deleting this file may allow the forensic examiner to recover it.  The best approach is to open the file using a text editor such as Notepad, delete the information within the file by selecting the entire content of the file and deleting it, and then save the file.

3.)  Next, open the Windows Registry Editor.  Navigate to the: CurrentControlSet\Enum and delete the USBSTOR registry key.

Do the same for all ControlSets (CurrentControlSet, ControlSet001, ControlSet002, and so on).  Do not delete any other registry key, as this would make it obvious that someone was tampering with the registry.  If you delete only the USBSTOR key, an examiner may instead assume that no USB device was connected to the system.

4.)  While still in the Windows Registry, delete the registry key labeled "Mounted Devices".  However, make sure to restart the computer afterwards.  This will cause the system to recreate a new mounted device list; otherwise, this could raise a flag to the investigator as well.

5.)  Last, try running a full system virus scan, as this program will update all files' "last access" date.  This will eliminate the issue with the last accessed dates of specific files such as USBSTOR.SYS and HOTPLUG.DLL which are analyzed during criminal investigations.

It is important to point out that there are further remnants left throughout the system; however, these are not well-known to the average examiners, and probably not even to advanced examiners.

You can go the extra mile by deleting the content of the DLLCACHE and PREFETCH folders, and then running a full system maintenance routine: delete temporary files, run a disk defragmenter, and so on.

With the above procedures you can make it very difficult for a prosecutor to substantiate a case based on forensic evidence of USB activity.

In criminal cases, prosecutors can argue spoliation of evidence if they can show withholding, hiding, or destruction of evidence relevant to a legal proceeding.  This is easy to argue if someone destroys or wipes a hard drive; however, it's more difficult for prosecutors to make such a showing when a routine cleaning and maintenance was performed in order to improve system performance.

Return to $2600 Index