사고 분석 시 USB와 관련된 증거가 있을 때, 레지스트리와 로그에서 찾을 수 있는 정보 입니다.
해당 값을 통해 언제 어떤 Device(누가)가 접근을 했는지 등을 분석할 수 있습니다.
Profile Windows XP USB Keys/Thumbdrives
1. Write Down Vendor, Product, Version
Registry Location: SYSTEM\CurrentControlSet\Enum\USBSTOR
Key: Vendor, Product, Version =
2. Write Down Serial Numbers
Registry Location: SYSTEM\CurrentControlSet\Enum\USBSTOR
Key: Serial Number=
3. Determine Parent Prefix ID
Registry Location: SYSTEM\CurrentControlSet\Enum\USBSTOR
Key: Parent Prefix ID=
4. Determine Vendor‐ID (VID) and Product‐(PID)
Registry Location: SYSTEM\CurrentControlSet\Enum\USB
Key: VID_XXXX, PID_YYYY =
5. Determine Drive Letter Device Mapped To
Registry Location: SYSTEM\MountedDevices -> Perform search for Parent Prefix ID in the Drive Letter
Key: Drive
6. Write Down Volume GUIDs
Registry Location: SYSTEM\MountedDevices-> Perform Search for Parent Prefix ID in the GUIDs
Key: {GUID}
7. Find User That Used The Specific USB Device
Registry Location: NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2
->Search for Device GUID
Key: User=
8. Discover First Time Device Connected
Log Location: C:\Windows\setupapi.log ‐> Perform search for Serial Number
Parameter: Time/Timezone
9. Determine First Time Device Connected After Last Reboot
Reg Location: SYSTEM\CurrentControlSet\Control\DeviceClasses\{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
-> Perform search for S/N
Parameter: Time/Timezone
10. Determine Last Time Device Connected
Reg Location: NTUSER//Software/Microsoft/Windows/CurrentVersion/Explorer/MountPoints2/{GUID}
-> Perform search for Device {GUID}
Parameter: Time/Timezone
'시스템/웹/포렌식 보안 > 포렌식' 카테고리의 다른 글
| 네트워크 침해사고 분석 가이드 (1) | 2013.09.10 |
|---|---|
| 파일 시그니처 (0) | 2013.07.23 |
| Forensic USB 흔적조사(Win7) (0) | 2013.07.23 |
| 간단한 해킹사고 증거 분석서 (0) | 2013.07.23 |
