dissect.target icon indicating copy to clipboard operation
dissect.target copied to clipboard
verified publisher icon fox-it

Improve USB plugin with more artefacts

Open Schamper opened this issue 1 year ago • 1 comments

Can use https://github.com/khyrenz/parseusbs for reference.

Schamper avatar Jul 31 '24 16:07 Schamper

Executed target-query -f usb against the image provided by @khyrenz at https://www.khyrenz.com/resources to match testresults of https://github.com/khyrenz/tool_validation/blob/main/usb_connection_reports/Khyrenz%20-%20Tool_Validation_Report%20-%20USB%20Connections%20-%20parseUSBs%201.4.4.pdf.

Values in bold are at first glance incorrect/missing.

Device Friendly Name iSerial Number First Connected Last Connected Last Removed Other Connections Other Disconnections Drive Letter Volume Name Volume Serial Numbers User
General UDisk USB Device 7&f810be1&0&_&0 2023-03-04 17:55:41 2023-03-04 18:43:31 2023-03-04 19:29:47 N/A N/A E:\ \??\Volume{0cd210fb-ba8c-11ed-86fe-000c2968ee15} user
Generic Flash Disk USB Device EFC74121&0 2023-03-04 18:08:48 2023-03-04 18:08:48 N/A N/A N/A N/A HEDGEHOG \??\Volume{0cd21180-ba8c-11ed-86fe-000c2968ee15} user
Specific STORAGE DEVICE USB Device 60875343&0 2023-03-04 17:19:12 2023-03-04 17:34:22 2023-03-04 17:47:08 N/A N/A N/A BAND \??\Volume{0cd21023-ba8c-11ed-86fe-000c2968ee15} user
VendorCo ProductCode USB Device 7918331133733033&0 2023-03-04 16:11:36 2023-03-04 16:11:36 2023-03-04 16:34:07 N/A N/A N/A ROSE \??\Volume{0cd20e1f-ba8c-11ed-86fe-000c2968ee15} user

Observations:

  • Volume Serial Numbers and filesystem type (should be something like ExFAT) is incorrect. Not sure how to resolve this at the moment..
  • Other connections and Other Disconnections are likely retrieved from evtx which we do parse but not yield usb records for specifically.
  • A fifth entry is missing entirely this is a Samsung PSSD T7 device.
  • Serial numbers are parsed with & values in them.

The missing Samsung disk can be found in the EVTX, but its serial number is reversed for some reason(?) Report suggest S5TANK... here it ends with ....KNAT5S.

<filesystem/windows/evtx hostname='DESKTOP-1V9DD1F' domain=None ts=2023-03-05 23:46:07.057306+00:00 Provider_Name='Microsoft-Windows-StorPort' EventID=500 AbortSupported='0' AdapterGuid='{130FD20C-8CBA-ED11-86FE-000C2968EE15}' BootDevice='0' Cdb='28000000000000001000' CdbLength='10' Channel='Microsoft-Windows-Storage-Storport/Operational' ClassDeviceGuid='{5CA8B1A9-40C0-0433-E9CE-A70E8A95BA88}' Computer='DESKTOP-1V9DD1F' Correlation_ActivityID=None Correlation_RelatedActivityID=None EventID_Qualifiers=None EventRecordID='222' Execution_ProcessID='8716' Execution_ThreadID='184' Keywords='0x800080000000000' LUN='0' Level='3' MiniportName='UASPStor' Opcode='0' PathID='0' PortNumber='4' ProductId='PSSD T7 ' Provider_Guid='{1E6A63C4-8679-4646-BF10-7BC3B4A76E8E}' Security_UserID=None SerialNumber='A283205N0KNAT5S' SrbFunction='0' SrbTimeout='15' TargetID='0' Task='0' VendorId='Samsung ' Version='4' source='sysvol\windows\system32\winevt\logs\Microsoft-Windows-Storage-Storport%4Operational.evtx'>

Todo: This issue should focus on exploring expanding the current usb.py plugin with evtx parsing capabilites. Renaming the current class/functions to usb_regf and creating a new usb_evtx function/class. The plugin should probably als be moved one folder up to the widows/ folder from the current windows/regf folder.

lhaagsma avatar Jul 11 '25 09:07 lhaagsma