Page Menu
Home
Phabricator
Search
Configure Global Search
Log In
Files
F5285311
SYSTEM_UsbStorageDevices.qs
No One
Temporary
Actions
Download File
Edit File
Delete File
View Transforms
Subscribe
Mute Notifications
Size
8 KB
Referenced Files
None
Subscribers
None
SYSTEM_UsbStorageDevices.qs
View Options
function fred_report_info() {
var info={report_cat : "SYSTEM",
report_name : "USB storage devices",
report_author : "Gillen Daniel, Voncken Guy",
report_desc : "Dump USB storage devices",
fred_api : 2,
hive : "SYSTEM"
};
return info;
}
var table_style = "border-collapse:collapse; margin-left:20px; font-family:arial; font-size:12";
var cell_style = "border:1px solid #888888; padding:5; white-space:nowrap;";
function IsValid(val) {
return (typeof val!=='undefined');
}
function PrintTableHeaderCell(str) {
println(" <th style=\"",cell_style,"\">",str,"</th>");
}
function PrintTableDataCell(alignment,str) {
var style=cell_style+" text-align:"+alignment+";";
println(" <td style=\"",style,"\">",str,"</td>");
}
function PrintTableDataRowSpanCell(alignment,rows,str) {
var style=cell_style+" text-align: "+alignment+";";
println(" <td rowspan=\"",rows,"\" style=\"",style,"\">",str,"</td>");
}
function ZeroPad(number,padlen) {
var ret=number.toString(10);
if(!padlen || ret.length>=padlen) return ret;
return Math.pow(10,padlen-ret.length).toString().slice(1)+ret;
}
function GetKeyVal(path, key) {
var val=GetRegistryKeyValue(path, key);
return (IsValid(val)) ? RegistryKeyValueToString(val.value,val.type) : "";
}
function fred_report_html() {
// TODO: There is more here.
// Check http://www.forensicswiki.org/wiki/USB_History_Viewing
var val;
println(" <h2>USB storage devices</h2>");
// Preload MountedDevices to possibly identify mount points of USB storage
// devices
var mnt_keys=GetRegistryKeys("\\MountedDevices");
var mnt_values=new Array();
if(IsValid(mnt_keys)) {
for(var i=0;i<mnt_keys.length;i++) {
val=GetRegistryKeyValue("\\MountedDevices",mnt_keys[i]);
mnt_values[i]=RegistryKeyValueToVariant(val.value,"utf16");
}
}
// Get current controlset
var cur_controlset=GetRegistryKeyValue("\\Select","Current");
if(IsValid(cur_controlset)) {
cur_controlset=RegistryKeyValueToString(cur_controlset.value,
cur_controlset.type);
// Current holds a DWORD value, thus we get a string like 0x00000000, but
// control sets are referenced by its decimal representation.
cur_controlset="ControlSet"+
ZeroPad(parseInt(String(cur_controlset).substr(2,8),16),3);
println(" <p style=\"font-size:12; white-space:nowrap\">");
println(" <table style=\""+table_style+"\">");
// Are USB storage devices enabled?
// http://www.forensicmag.com/article/windows-7-registry-forensics-part-5
// Is this true for WinXP etc.. ???
var val=GetRegistryKeyValue(cur_controlset+"\\services\\USBSTOR","Start");
if(IsValid(val)) {
val=RegistryKeyValueToString(val.value,val.type);
val=parseInt(String(val).substr(2,8),10);
switch(val) {
case 3:
println(" <tr><td>Storage driver enabled:</td><td>Yes</td></tr>");
break;
case 4:
println(" <tr><td>Storage driver enabled:</td><td>No</td></tr>");
break;
default:
println(" <tr><td>Storage driver enabled:</td><td>Unknown</td></tr>");
}
} else {
println(" <tr><td>Storage driver enabled:</td><td>Unknown</td></tr>");
}
println(" </table>");
println(" </p>");
println(" <p style=\"font-size:12; white-space:nowrap\">");
var storage_roots=GetRegistryNodes(cur_controlset+"\\Enum\\USBSTOR");
if(IsValid(storage_roots)) {
println(" <table style=\""+table_style+"\">");
println(" <tr>");
PrintTableHeaderCell("Vendor Name");
PrintTableHeaderCell("Unique ID");
PrintTableHeaderCell("Class");
PrintTableHeaderCell("Friendly name");
PrintTableHeaderCell("Mount point(s)");
PrintTableHeaderCell("Parent ID");
PrintTableHeaderCell("Device description");
PrintTableHeaderCell("First connection<font color=\"red\"><sup>1</sup></font>");
PrintTableHeaderCell("Last connection<font color=\"red\"><sup>1</sup></font>");
println(" </tr>");
for(var i=0;i<storage_roots.length;i++) {
var storage_subroots=GetRegistryNodes(cur_controlset+"\\Enum\\USBSTOR\\"+storage_roots[i]);
for(var ii=0;ii<storage_subroots.length;ii++) {
var device_id=storage_subroots[ii];
if(String(device_id).charAt(1)=="&") {
// If the second character of the unique instance ID is a '&', then
// the ID was generated by the system, as the device did not have a
// serial number.
device_id=device_id+" (Generated by system)";
}
var device_key=cur_controlset+"\\Enum\\USBSTOR\\"+storage_roots[i]+"\\"+storage_subroots[ii];
var device_class=GetKeyVal(device_key,"Class");
var device_desc=GetKeyVal(device_key,"DeviceDesc");
var device_friendly_name=GetKeyVal(device_key,"FriendlyName");
var device_parent_id=GetKeyVal(device_key,"ParentIdPrefix");
var device_first_connection=GetRegistryNodeModTime(cur_controlset+"\\Enum\\USBSTOR\\"+storage_roots[i]);
var device_last_connection=GetRegistryNodeModTime(cur_controlset+"\\Enum\\USBSTOR\\"+storage_roots[i]+"\\"+storage_subroots[ii]);
var search_string="";
var device_mount_points=Array();
if(device_parent_id != "") {
// Windows XP uses the ParentId to link to MountedDevices
search_string="#"+device_parent_id+"&";
} else {
// Since Vista, Unique IDs are used
search_string="#"+storage_subroots[ii]+"#";
}
for(var iii=0; iii<mnt_keys.length; iii++) {
if(String(mnt_values[iii]).indexOf(search_string)!=-1) {
device_mount_points.push(mnt_keys[iii]);
}
}
var mount_points=device_mount_points.length;
if(mount_points>1) {
println(" <tr>");
PrintTableDataRowSpanCell("left",mount_points,storage_roots[i]);
PrintTableDataRowSpanCell("left",mount_points,device_id);
PrintTableDataRowSpanCell("left",mount_points,device_class);
PrintTableDataRowSpanCell("left",mount_points,device_friendly_name);
PrintTableDataCell("left",device_mount_points[0]);
PrintTableDataRowSpanCell("left",mount_points,device_parent_id);
PrintTableDataRowSpanCell("left",mount_points,device_desc);
PrintTableDataRowSpanCell("left",mount_points,device_first_connection);
PrintTableDataRowSpanCell("left",mount_points,device_last_connection);
println(" </tr>");
for(var iii=1;iii<device_mount_points.length;iii++) {
println(" <tr>");
PrintTableDataCell("left",device_mount_points[iii]);
println(" </tr>");
}
} else {
println(" <tr>");
PrintTableDataCell("left",storage_roots[i]);
PrintTableDataCell("left",device_id);
PrintTableDataCell("left",device_class);
PrintTableDataCell("left",device_friendly_name);
if(mount_points!=0) {
PrintTableDataCell("left",device_mount_points[0]);
} else {
PrintTableDataCell("left","n/a");
}
PrintTableDataCell("left",device_parent_id);
PrintTableDataCell("left",device_desc);
PrintTableDataCell("left",device_first_connection);
PrintTableDataCell("left",device_last_connection);
println(" </tr>");
}
}
}
println(" </table>");
println(" <font color=\"red\"><sup>1</sup></font> Might be incorrect");
println(" <br />");
} else {
println(" <font color=\"red\">This registry hive does not contain a list of attached USB storage devices!</font>");
}
println(" </p>");
} else {
println(" <p><font color=\"red\">");
println(" Unable to determine current control set!<br />");
println(" Are you sure you are running this report against the correct registry hive?");
println(" </font></p>");
}
}
File Metadata
Details
Attached
Mime Type
text/html
Expires
Wed, Jul 9, 1:01 AM (9 h, 24 m)
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
1270968
Default Alt Text
SYSTEM_UsbStorageDevices.qs (8 KB)
Attached To
Mode
rFRED fred
Attached
Detach File
Event Timeline
Log In to Comment