Hack Like a Pro: Digital Forensics for the Aspiring Hacker, Part 9 (Finding Storage Device Artifacts in the Registry)

Digital Forensics for the Aspiring Hacker, Part 9 (Finding Storage Device Artifacts in the Registry)

Welcome back, my fledgling hackers!

In this series, I am trying to develop your knowledge of digital forensics, which is valuable whether you're choosing a career in it or just want to know how your hacker activity can be traced. Few professional digital forensic investigators have a hacking background, but the best ones do.

The occupation of digital forensic investigation is a rapidly growing one. Nearly every crime has a digital component these days. This might include things as innocuous as a text message, a Google search, or an email, and law enforcement and civil litigators need trained professionals to find the necessary information and preserve it in a forensically sound manner.

Finding Storage Device Artifacts in a Windows Registry

As I have mentioned in a previous article in this series, the registry in Windows is how Microsoft manages the operating system. As such, it contains volumes of information on who, what, where, and how activity took place on this system. If we know where and how to look in the registry, we can build a strong case of what actually took place there.

In this tutorial, we will focus on finding evidence of storage devices within the registry. Often, the suspect will use a Flash drive or hard drive for their malicious activities and then remove them so as not to leave any evidence. The skilled forensic investigator, though, can still find traces of evidence of those storage devices within the registry, if they know where to look.

Image via Shutterstock

The registry on a Windows system varies a bit from version to version. A skilled, professional digital forensic investigator needs to be able to work with nearly all versions of Windows and other operating systems. Since Windows 7 is still the most widely used operating system, by far, I will be demonstrating on it. Keep in mind, though, that this will vary slightly between versions.

Step 1: Open Regedit

Although a forensic investigator will usually be working on an image file and using a forensic suite, we can clearly demonstrate the principals and locations by using regedit on a live system. In some forensic investigations, you might actually have the need or luxury of working on a live system, but it is rare. Usually, you will be using an image, but the registry remains the same whether live or image.

To open the Registry Editor, type "regedit" at the command prompt. When you do so, it will open the Registry Editor as seen below.

As you remember from a previous tutorial, the registry has five hives.

Step 2: USB Storage Devices

Imagine a case where we suspect that someone installed a keylogger or removed confidential information with a USB drive. How would we find evidence that a USB storage device was inserted and used? To find evidence of USB storage devices, we want to look at the following key.

HK_Local_Machine\System\ControlSet00x\Enum\USBSTOR

In this key, we will find evidence of any USB storage device that has ever been connected to this system. Expand USBSTOR to see a listing of every USB storage device ever connected to this system.

In the screenshot above, I have circled one suspicious looking USB device. When we expand it, it reveals a unique identifier for that device. By clicking on this identifier, we can find much more information about the device.

As you can see in the screenshot above, when we click on the USB storage identifier, it reveals in the right-hand window the Global Unique Identifier (GUID), the friendly name, and the hardware ID, among other things. This may be exactly the evidence we need to tie the suspect to their activity on this system!

Step 3: Mounted Devices

If the suspect used any hardware device that must be mounted to either read or write data (CD-ROM, DVD, hard drive, flash drive, etc.), the registry will record the mounted device. This information is stored at:

HKEY_LOCAL_MACHINE\System\MountedDevices

As you can see below, when we click on this key, it provides us a long list of every device ever mounted on that machine.

If we need further information on any of those mounted devices, we can simply click on it, and it will open a small app that will enable us to read the data in ASCII. As you can see, this device was an IDE CD-ROM manufactured by Teac.

If there is not a TEAC CD_ROM on the system, the forensic investigator now knows that they need to find this piece of hardware to find further evidence of the crime.

The registry is a depository of volumes of information on what happened on a Windows system, and by learning our way around it, we can reconstruct the elements of a crime that it was used for.

Keep coming back, my aspiring forensic investigators, as we explore more ways to find evidence of criminal or malicious activity.

Cover image via Shutterstock

6 Comments

A nice article as usual, OTW.

But I have one question: does Linux also use some kind of registry to store info like this? If so, how can we access it?

-Phoenix750

The Linux OS design and the Windows OS are very different. There is not a central repository of info in Linux, but the same info can be found in different places.

For the information we found here, you will find eveidences in the syslog file. Linux logs nearly everything, so the evidence is there, somewhere. In addition, the /proc directory and the /dev directory hold useful bits of info on the kernel and the devices, respectively. Also, the config files will hold info on software and each config does its own logging, usually.

Probably completely OT but I will ask and apologize if in the wrong forum.
I want to hack my laptop, a Dell vostro, as it has crashed when installing Windows 10. I do not have the setup disc.
I usually use a fingerprint scanner to access but Win 10 doesn't recognize the scanner when in trouble shooting mode.
Is there any way of accessing the password in this instance? I can't afford to get a professional to do it sadly :-(

Thanks

Does anyone know whether a program like Faronics Deep Freeze would prevent these sort of entries being made in the Registry? If it does and you must use a Windows machine it seems a pretty useful bit of kit.

i have a question on another guide, but I thought it would be simpler to ask you on here, every time I try to run hydra with it says

hydra: invalid option -- '-'

Share Your Thoughts

  • Hot
  • Latest