Ethical Hacking Training at InfoSec Institute

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Computer Forensics Computer-Forensics
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

FW: USB devices and the Windows Registry

from [MR_EPOD .] Network Security [Permanent Link]
Subject: FW: USB devices and the Windows Registry
Date: Tue, 01 Feb 2005 22:43:16 +0000 
Hey,

I seen your post and thought this util might be handy for your USB research

-------
Extract from sf.net site
# This is a tool that log the usb data exchange between hardware and device driver!
URL: http://sourceforge.net/projects/usbsnoop/
-------

Regards
MR_EPOD

-----Original Message-----
From: H Carvey [mailto:keydet89@yahoo.com]
Sent: Tuesday, 1 February 2005 23:46
To: forensics@securityfocus.com
Subject: USB devices and the Windows Registry




All,

Cory Altheide and I are conducting some research into USB devices and
the Windows Registry.  In doing so, I've been trying to get in contact
with folks at Microsoft to answer some questions with regards to the
creation of certain Registry keys...most of the contacts have been
several layers removed from me.

I'd like to ask the questions here, as well, to see what kind of
response I can get back from the community.

Our basic questions are these:

1.  When you connect a USB storage device to a Windows system (2K, XP,
2K3), Registry keys are created.  If they don't already exist, the
HKLM\System\CurrentControlSet\Enum\USBStor key is created.  Beneath that
key, a subkey containing the vendor name is created, and beneath the
"vendor key", a key with a unique name is created for each device (I'll
call this the "unique key").  On a test XP system, it looks like this:

HKLM\System\CurrentControlSet\Enum\USBStor
     \Disk&Ven_LEXAR&Prod_DIGITAL_FILM&Rev_/W1.
       \7&276114a5&0&______________040719030000008093F300000000000&0

According to some scant MSDN documentation, the final key name is unique
to the device...each time the device is plugged into the Windows system,
the same name will be used.  Also, if the device is plugged into other
Windows systems, the same name will appear.

The question is, how is this key name created?  If something specific is
pulled from the device, what is that artifact?  How is it retrieved; ie,
via what API and data structure?  How is it then processed to develop
the name of the "unique key"?

2.  Within the "unique key", there is a value called "ParentIdPrefix".
How is this value derived?  What API/data structure is used?  How does
the system then subsequently use this value?

Thanks.  Any assistance, along with cited sources, would be greatly
appreciated.  Cory and I do intend to make the final results of our
research public.

Thanks,

H. Carvey
"Windows Forensics and Incident Recovery" http://www.windows-ir.com



-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com

[More with this subject...]


<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: USB devices and the Windows Registry, Harlan Carvey
Next by Date:  USB devices and the Windows Registry, part deux, H Carvey
Previous by Thread:  RE: USB devices and the Windows Registry, Keifer, Trey
Next by Thread:  USB devices and the Windows Registry, part deux, H Carvey
Indexes:  [Date] [Thread] [Top] [All Lists]