Pages

Saturday, August 18, 2012

Tracking USB First insertion in Event logs

The tracking of USB removable disks has been discussed and analyzed in detail with the usual methods of looking at the windows registry for plugged in devices (USBSTOR keys), registry shell bags, SetupApi logs, etc.

A while back researching something else I happened to hit upon an artifact not known for this purpose, the 'Windows Event Log'. The first time a USB device is inserted into your windows PC, it is logged in a little obscure log which is maintained for the 'ReadyBoost' functionality. This is only true for Windows Vista and above, as XP did not have ReadyBoost. For more information on ReadyBoost refer here

Whenever a new drive is connected to a windows system, windows will test that drive's read/write speed by creating a file on that drive and then deleting it. And this result is logged in the ReadyBoost log. From an investigator point to view, this does not give us too much information about the connected disk, but it does give some useful information, notably the name of the disk, sometimes the size (as shown in pic below) and the date/time when device was first connected to that system. This should correlate to the SetupApi log date/time. 

ReadyBoost Operational log under Windows Event Viewer

The messages are usually under EventID 1000-1023 with 1015 and 1016 being irrelevant (performance calculations for booting). It even logs the devices that are not disks such as 3G dongles and non-USB devices such as mounted VHD files with messages such as these:

This was for a partition on a mounted VHD file.
The date/time of log matches the date/time when partition was created.

When a new 3G dongle was plugged in..

When an IronKey was plugged in..

With this artifact, we have one more thing to confirm the date of first insertion of a device. This should be useful in cases where sometimes the registry keys make it difficult to confirm dates or device names/types.

The full path of this event log file on the system is
'C:\Windows\System32\winevt\Microsoft-Windows-ReadyBoost%4Operational.evtx'.

In the windows event viewer, you can view this log under
'Applications and service logs\Microsoft\Windows\ReadyBoost\Operational'. 

3 comments:

  1. Nice artifact, Yogesh. Given the lack of adoption of ReadyBoost by consumers, I'm guessing we won't see this one after Windows 7.

    This reminds me of one of my favorite Event Log artifacts for removable media: the "UserPnp" events now present in the Windows 7 System Log. Event ID 20001 provides information similar to the setupapi.dev.log, but formatted like the USBSTOR registry key.

    ReplyDelete
    Replies
    1. I'm happy to report that this Event Log is indeed present in the Windows 8 RTM.

      Delete
    2. I figured I would share this on here since Chad mentioned it.

      sourcetype=WinEventLog:System EventCode="20001" |dedup Message |rex field=Message "Driver Management concluded the process to install driver (?.*) for Device Instance ID (?.*) with the following status: (?0x0)" |search driver_name="*\disk.inf" NOT driver_name="*\flpydisk.inf" |table _time usb_info status

      Delete