Page Menu
Home
Phabricator
Search
Configure Global Search
Log In
Files
F4324606
No One
Temporary
Actions
View File
Edit File
Delete File
View Transforms
Subscribe
Mute Notifications
Size
3 KB
Referenced Files
None
Subscribers
None
View Options
diff --git a/trunk/report_templates/SYSTEM_UsbStorageDevices.qs b/trunk/report_templates/SYSTEM_UsbStorageDevices.qs
index 32d7353..65b6e5b 100644
--- a/trunk/report_templates/SYSTEM_UsbStorageDevices.qs
+++ b/trunk/report_templates/SYSTEM_UsbStorageDevices.qs
@@ -1,43 +1,68 @@
// TODO: There is more here. Check http://www.forensicswiki.org/wiki/USB_History_Viewing
function print_table_row(cell01,cell02) {
println(" <tr><td>",cell01,"</td><td>",cell02,"</td></tr>");
}
// Global vars
var val;
+// Preload MountedDevices to possibly identify mount points of USB storage devices
+var mnt_keys=GetRegistryKeys("\\MountedDevices");
+var mnt_values=new Array();
+for(var i=0;i<mnt_keys.length;i++) {
+ val=GetRegistryKeyValue("\\MountedDevices",mnt_keys[i]);
+ mnt_values[i]=RegistryKeyValueToVariant(val.value,"utf16");
+}
+
// Get current controlset
var cur_controlset=GetRegistryKeyValue("\\Select","Current");
cur_controlset=RegistryKeyValueToString(cur_controlset.value,cur_controlset.type);
// Current holds a DWORD value, thus we get a string like 0x00000000, but
// control sets are referenced only with the last 3 digits.
cur_controlset="ControlSet"+String(cur_controlset).substr(7,3);
println("<html>");
println(" <head><title>USB Storage Devices</title></head>");
println(" <body style=\"font-size:12\">");
println(" <h2>USB storage devices</h2>");
println(" <p style=\"font-size:12\">");
var storage_roots=GetRegistryNodes(cur_controlset+"\\Enum\\USBSTOR");
for(var i=0;i<storage_roots.length;i++) {
println(" <u>",storage_roots[i],"</u><br />");
var storage_subroots=GetRegistryNodes(cur_controlset+"\\Enum\\USBSTOR\\"+storage_roots[i]);
for(ii=0;ii<storage_subroots.length;ii++) {
println(" <table style=\"margin-left:20px; font-size:12\">");
- // Note: If the second character of the unique instance ID is a '&', then the ID was
+ // If the second character of the unique instance ID is a '&', then the ID was
// generated by the system, as the device did not have a serial number.
- print_table_row("Unique ID:",storage_subroots[ii]);
+ if(String(storage_subroots[ii]).charAt(1)=="&") print_table_row("Unique ID:",storage_subroots[ii]+" (Generated by system)");
+ else print_table_row("Unique ID:",storage_subroots[ii]);
val=GetRegistryKeyValue(cur_controlset+"\\Enum\\USBSTOR\\"+storage_roots[i]+"\\"+storage_subroots[ii],"Class");
print_table_row("Class:",(typeof val !== 'undefined') ? RegistryKeyValueToString(val.value,val.type) : "");
val=GetRegistryKeyValue(cur_controlset+"\\Enum\\USBSTOR\\"+storage_roots[i]+"\\"+storage_subroots[ii],"DeviceDesc");
print_table_row("Device description:",(typeof val !== 'undefined') ? RegistryKeyValueToString(val.value,val.type) : "");
val=GetRegistryKeyValue(cur_controlset+"\\Enum\\USBSTOR\\"+storage_roots[i]+"\\"+storage_subroots[ii],"FriendlyName");
print_table_row("Friendly name:",(typeof val !== 'undefined') ? RegistryKeyValueToString(val.value,val.type) : "");
+ val=GetRegistryKeyValue(cur_controlset+"\\Enum\\USBSTOR\\"+storage_roots[i]+"\\"+storage_subroots[ii],"ParentIdPrefix");
+ if(typeof val !== 'undefined') {
+ var parent_id=RegistryKeyValueToString(val.value,val.type);
+ print_table_row("Parent ID prefix:",parent_id);
+ // Find mount point(s)
+ print(" <tr><td>Mount point(s):</td><td>");
+ var br=0;
+ for(var iii=0;iii<mnt_keys.length;iii++) {
+ if(String(mnt_values[iii]).indexOf("#"+parent_id+"&")!=-1) {
+ if(br==1) print("<br />");
+ else br=1;
+ print(mnt_keys[iii]);
+ }
+ }
+ println("</td></tr>");
+ } else print_table_row("Parent ID prefix:","n/a");
}
}
println(" </p>");
println("</html>");
File Metadata
Details
Attached
Mime Type
text/x-diff
Expires
Tue, Dec 24, 3:11 AM (1 d, 8 h)
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
1176994
Default Alt Text
(3 KB)
Attached To
Mode
rFRED fred
Attached
Detach File
Event Timeline
Log In to Comment