엄범


```bash

Event viewer -> system32 log (%SystemRoot%\inf\Setupapi.dev.log) -> registry

```

순으로 확인한다.

이벤트 뷰어랑 log는 기록이 누락되어 있는 경우가 잦다.

레지스트리를 직접 보려면 레지스트리 분석 도구를 이용해야 하기 때문에 어차피 도구를 이용할 거라면

USBDeview를 이용해서 보는 편이 낫다.


USB Device Tracking Artifacts on Windows 7, 8(RP)

 Artifacts

 Path

 Vendor & Product Name, Version

HKLM\SYSTEM\ControlSet00#\Enum\USBSTOR\Disk&Ven_{Vendor Name}&Prod_{Product Name}&Rev_{Version}

 Vendor ID, Product ID

HKLM\SYSTEM\ControlSet00#\Enum\USB\VID_{Vendor ID}&PID_{Product ID}

 Serial Number

HKLM\SYSTEM\ControlSet00#\Enum\USB\{Vendor ID & Product ID}\{Serial Number}


HKLM\SYSTEM\ControlSet00#\Enum\USBSTOR\{Device Class ID}\{Serial Number}&# 

 Volume Serial Number

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\EMDMgmt\_??_USBSTOR#{Device Class ID}#{Unique Instance ID}#{GUID}{Volume Label}_{Volume Serial Number} 

 Volume Label

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\EMDMgmt\_??_USBSTOR#{Device Class ID}#{Unique Instance ID}#{GUID}{Volume Label}_{Volume Serial Number}


HKLM\SOFTWARE\Microsoft\Windows Portable Devices\Devices\{Device Entry}\FriendlyName (value) 


HKLM\System\ControlSet00#\Enum\WpdBusEnumRoot\UMB\{Device Entry}\FriendlyName (value) 

 Drive Letter

HKLM\System\MountedDevices (search for serial number)


HKLM\SOFTWARE\Microsoft\Windows Portable Devices\Devices\{Device Entry}\FriendlyName (value)


HKLM\System\ControlSet00#\Enum\WpdBusEnumRoot\UMB\{Device Entry}\FriendlyName (value)

 Volume GUID

HKLM\SYSTEM\MountedDevices\\??\Volume{Volume GUID} (search for serial number)

 User Name

HKU\{USER}\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{Volume GUID}

 First Connection Time

 (Last Written Time in registry key)

HKLM\SYSTEM\ControlSet00#\Control\DeviceClasses\{10497B1B-BA51-44E5-8318-A65C837B6661}\{Sub Keys} 


HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\EMDMgmt\{Device Entry} 


HKLM\SOFTWARE\Microsoft\Windows Portable Devices\Devices\{Device Entry} 

 First Connection Time After Booting

 (Last Written Time in registry key)

HKLM\SYSTEM\ControlSet00#\Control\DeviceClasses\{53F56307-B6BF-11D0-94F2-00A0C91EFB8B}\{Sub Keys} 


HKLM\SYSTEM\ControlSet00#\Control\DeviceClasses\{53F5630D-B6BF-11D0-94F2-00A0C91EFB8B}\{Sub Keys} 


HKLM\SYSTEM\ControlSet00#\Control\DeviceClasses\{6AC27878-A6FA-4155-BA85-F98F491D4F33}\{Sub Keys} 


HKLM\SYSTEM\ControlSet00#\Control\DeviceClasses\{A5DCBF10-6530-11D2-901F-00C04FB951ED}\{Sub Keys} 


HKLM\SYSTEM\ControlSet00#\Enum\WpdBusEnumRoot\UMB\{Device Entry}

 Last Connection Time

 (Last Written Time in registry key)

HKLM\SYSTEM\ControlSet00#\Enum\WpdBusEnumRoot\UMB\{Device Entry}\Device Parameters 


HKU\{USER}\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{Volume GUID}



'Security > Forensic' 카테고리의 다른 글

클러스터, 섹터, 슬랙 ( Cluster, Sector, Slack )  (0) 2017.11.01
파일 카빙 ( File Carving )  (0) 2017.11.01
Volatility  (0) 2017.10.27
Prefetch, Superfetch  (0) 2016.09.07
Windows 악성코드 감염시 처리 프로세스  (0) 2016.09.07
USB 사용 기록 조사  (0) 2016.09.06