USB 사용 기록 조사
```bash
Event viewer -> system32 log (%SystemRoot%\inf\Setupapi.dev.log) -> registry
```
순으로 확인한다.
이벤트 뷰어랑 log는 기록이 누락되어 있는 경우가 잦다.
레지스트리를 직접 보려면 레지스트리 분석 도구를 이용해야 하기 때문에 어차피 도구를 이용할 거라면
USBDeview를 이용해서 보는 편이 낫다.
USB Device Tracking Artifacts on Windows 7, 8(RP)
Artifacts |
Path |
Vendor & Product Name, Version |
HKLM\SYSTEM\ControlSet00#\Enum\USBSTOR\Disk&Ven_{Vendor Name}&Prod_{Product Name}&Rev_{Version} |
Vendor ID, Product ID |
HKLM\SYSTEM\ControlSet00#\Enum\USB\VID_{Vendor ID}&PID_{Product ID} |
Serial Number |
HKLM\SYSTEM\ControlSet00#\Enum\USB\{Vendor ID & Product ID}\{Serial Number} HKLM\SYSTEM\ControlSet00#\Enum\USBSTOR\{Device Class ID}\{Serial Number}&# |
Volume Serial Number |
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\EMDMgmt\_??_USBSTOR#{Device Class ID}#{Unique Instance ID}#{GUID}{Volume Label}_{Volume Serial Number} |
Volume Label |
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\EMDMgmt\_??_USBSTOR#{Device Class ID}#{Unique Instance ID}#{GUID}{Volume Label}_{Volume Serial Number} HKLM\SOFTWARE\Microsoft\Windows Portable Devices\Devices\{Device Entry}\FriendlyName (value) HKLM\System\ControlSet00#\Enum\WpdBusEnumRoot\UMB\{Device Entry}\FriendlyName (value) |
Drive Letter |
HKLM\System\MountedDevices (search for serial number) HKLM\SOFTWARE\Microsoft\Windows Portable Devices\Devices\{Device Entry}\FriendlyName (value) HKLM\System\ControlSet00#\Enum\WpdBusEnumRoot\UMB\{Device Entry}\FriendlyName (value) |
Volume GUID |
HKLM\SYSTEM\MountedDevices\\??\Volume{Volume GUID} (search for serial number) |
User Name |
HKU\{USER}\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{Volume GUID} |
First Connection Time (Last Written Time in registry key) |
HKLM\SYSTEM\ControlSet00#\Control\DeviceClasses\{10497B1B-BA51-44E5-8318-A65C837B6661}\{Sub Keys} HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\EMDMgmt\{Device Entry} HKLM\SOFTWARE\Microsoft\Windows Portable Devices\Devices\{Device Entry} |
First Connection Time After Booting (Last Written Time in registry key) |
HKLM\SYSTEM\ControlSet00#\Control\DeviceClasses\{53F56307-B6BF-11D0-94F2-00A0C91EFB8B}\{Sub Keys} HKLM\SYSTEM\ControlSet00#\Control\DeviceClasses\{53F5630D-B6BF-11D0-94F2-00A0C91EFB8B}\{Sub Keys} HKLM\SYSTEM\ControlSet00#\Control\DeviceClasses\{6AC27878-A6FA-4155-BA85-F98F491D4F33}\{Sub Keys} HKLM\SYSTEM\ControlSet00#\Control\DeviceClasses\{A5DCBF10-6530-11D2-901F-00C04FB951ED}\{Sub Keys} HKLM\SYSTEM\ControlSet00#\Enum\WpdBusEnumRoot\UMB\{Device Entry} |
Last Connection Time (Last Written Time in registry key) |
HKLM\SYSTEM\ControlSet00#\Enum\WpdBusEnumRoot\UMB\{Device Entry}\Device Parameters HKU\{USER}\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{Volume GUID} |
'Security > Forensic' 카테고리의 다른 글
파일 카빙 ( File Carving ) (0) | 2017.11.01 |
---|---|
Volatility (0) | 2017.10.27 |
Prefetch, Superfetch (0) | 2016.09.07 |
Windows 악성코드 감염시 처리 프로세스 (0) | 2016.09.07 |
Tools - Forensic (0) | 2016.09.05 |