Whenever a forensic investigator does the forensic of a USB device, he should look into two important keys of the registry. These are:

1) HKLM/System/Mounted Devices

2) HKLM/System/CurrentControlSet/Enum/USBSTOR.

First key will show all the mounted & removable devices and will be in the form of “\DosDevices\”. Figure given below will clear the picture.

Figure 1

Each DWORD value (here /DosDevices/) will have a data which is in hex form. For reading the contents of these DWORD, the forensic investigator has to access these values. When the DWORD is accessed and the contents are of the form “\??\STORAGE#Removable Media#”, then this means that the device which was associated with this drive letter was a removable/USB device. Let us understand this point deeper with the help of the figure. Figure given below shows that I have accessed the “/DosDevice/I:” DWORD and it’s a removable/USB device.

Figure 2

Couple of points to notice in this figure: -

1) DWORD accessed is “\DosDevices\I:”

2) Contents of this DWORD value is starting from “\??\STORAGE#RemovableMedia#”. So we can conclude that this drive letter was assigned to removable/USB device.

3) Parent ID prefix in this case is 7&25bb518e&0. This value is very important and we will use this value to get more knowledge about the USB device which was connected on the suspect machine.

Our work related to “HKLM/System/MountedDevices” is over. Now let us move to the other key and get more information out of it. The other key is

HKLM/System/CurrentControlSet/enum/USBSTOR

When USBSTOR key is expanded, there will be sub keys under it. The key will be in the form of Disk&Ven&Prod
&Rev. An example is shown with the help of figure.

Figure 3

Under these keys will be the sub key which will be with the name of the serial number which the device has. If the device has no serial number, then plug and play manager will assign the serial number to the device. We will now expand the subkey and will find out where the Parent ID prefix is? I expanded the subkey and I found the Parent ID prefix. A screenshot has been given below

Figure 4

We can make sure that this device was connected to the machine and the drive letter which was assigned to this device was I:\.

If we want to find out more information about the device connected and the last plug/unplug time then we can use professional tool like “USBDeview” which can be found here. A screenshot has been given below

Figure 5

Hope this article will help lot of forensic investigators in investigating cases. Enjoy experimenting

Mrs Carol L. Stimmel has taken upon her to start a Computer Forensic Volunteer Project to provide low-cost services to those who cannot assert advantage from our skills.

Here is a bit taken from the press release:-

“As expert members of the international computer forensics community which provides unique and highly desirable services to the legal system, we assume a responsibility to provide services to those in need yet unable to pay. As a result, the Computer Forensics Volunteer Project (CFVP) provides pro bono and low-cost forensic services to individuals and organizations who normally would not be able to take advantage of the distinct litigation advantage provided by these techniques.”

On behalf of NII Consulting I have volunteered to take part in the project and would like to help people who cannot afford such services.

The index.dat is a file which contains the list of the websites that one has visited. It comes from “indexing” which is used to speed up query responses.

The autocomplete feature in Internet Explorer compares the addresses to the index.dat to find an appropriate match. The size and life of the index.dat depends on the user and the options under: – Internet Explorer: Tools> Internet Options (Days to keep pages in history).

There are three kinds of index.dat files.

1. Daily
2. Weekly
3. Master

1. Daily index.dat:-

This file contains the data of one visiting websites for the day.

This index.dat file can be found in C:\Documents and Settings\*profile*\Local Settings\History\History.IE5\*folder*

The folders name information is given below:-

MSHist012006081020060811

MSHist01 is common for all folders.

Next comes “from” date – 20060810 i.e. 2006/08/10 (yyyy/mm/dd)

Lastly comes the “to” date – 20060811 i.e. 2006/08/11 (yyyy/mm/dd)

2. Weekly index.dat:-

This file contains the history of the user for the week.

This index.dat file can be found in C:\Documents and Settings\*profile*\Local Settings\History\History.IE5\*folder*

The folders name information is given below:-

MSHist012006073120060807

MSHist01 is common for all folders.

Next comes “from” date – 20060731 i.e. 2006/07/31 (yyyy/mm/dd)

Lastly comes the “to” date – 20060807 i.e. 2006/08/07 (yyyy/mm/dd)

3. Master index.dat

This file is located in C:\Documents and Settings\*profile*\Local Settings\History\History.IE5 i.e. the root of History.IE5

Index.dat Viewing Utilities:-

There are a few utilities on the WWW to analyze index.dat. They help in organizing the data from it in an easy to view and customable manner. Here is a list of a few such tools:-

• Netanalysis
• IndexDat-Zap
• Index.dat Analyzer

Deleting index.dat:-

This file is “locked” by the operating system, which means that one cannot delete it with the normal “Del” command.

Note: Once it is very big in size it can start affecting the browser performance.

There are a few tools online available to delete this file but the easiest way I found to delete this file is to replace it with another file. I.e. Make a new text file, name it as index.dat and save it. Now, for every index.dat there is replace it with the file that you made i.e. the empty index.dat.

Alternatively, you could use tools like Unlocker. This is a very nice free tool to view which applications are sharing the file and also to kill or unlock those applications so as to delete or modify it.