Recovering a stolen USB Drive

Am feeling all CSI at the moment! Yesterday; I got involved in an investigation of a USB mass storage device theft. The clue I had at start was the Windows 7 machine from which the device was stolen and a CCTV camera. The video from the CCTV wasn’t much helpful without any supporting evidence from the machine hence my only resort was to dig deep into the machine’s OS and get to some conclusion.

I did what anyone would have done; checking out the event viewer. Unfortunately no such logs about USB devices are recorded there. So I resorted to some Googling.  Once again I owe one to the immense help available out there online on forums and blogs; you can just find any solution these days!  What I did found was that a USB device when plugged into a machine; leaves all kind of traces. These traces includes time stamps, vendor & product ID’s, serial numbers, product make\model etc. Of all these what more internal to forensics is the time stamps! and getting them accurate is the key to get some productivity out of the homework.

I found two really great utilities that helped me in ending the case. USBDeview by Nirsoft and Windows USB Storage Parser by TZWorks LLC. Of these two USBDeview is simple and more efficient and I will tell you here why.

So getting to homework! First get to know your machines and devices well.

Get to know which USB devices are used on a machine

You can get to know by going into the Registry Editor and checking out  HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\USBSTOR. This is what you will get.

As from the snap shot you can see; there are a total of three devices used on this machine with the serial numbers mentioned under the product names. Serial numbers are unique and will give you a head start.


So now I know the device, and mapped the serial number as well. I then used a simple utility USBDeview to get the information I required.  The great thing this utility is that It also shows you the details\time stamps etc from the previous dates.

This very efficiently shows the complete details in nicely sorted columns. The important entry that helped me a lot here is the  Last Plus\Unplug time stamp.

Windows USB Storage Parser

This is another great command line tool. This tool will tell you about the different USB devices used on a machine, their vendor\product ID’s along with serial numbers and time stamps. But most important of all this will also tell you the “account name” that mounted the USB device which can really help in forensics.

As you can see in the snap shot above, its pretty well self explanatory. What missing from there is the unmounts event time stamp. That why I mentioned earlier in this blog that the USBDeview holds its ground pretty well and gives us a combined plus\unplug time stamp. This is what helped me in nailing the case.

So to complete the investigating, and to further cement my findings; I used these tools on the suspect’s machine as well and bingo!!! It was all filled up with familiar traces! I rested my case 🙂 !!!


Tags: , , , , , , , , , , , ,

2 Responses to “Recovering a stolen USB Drive”

  1. Ghazanfar Says:

    Did you manage to recover your lost USB at all?

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: