Following on from our previous post Windows Event Logs and USB Tracking. Some of our forensic followers that found the post insightful, started asking “What was next?”, and “Where do you continue after that initial analysis?” Inspired by these questions, Netscylla investigated further, and found that someone has already progressed further and created some handy powershell scripts to assist in USB forensic investigation on Windows 10.
Windows USB Forensic Checklist
If we were to summarise Toksr’s research and order of forensic investigation we arrive at his/her model of investigation and associated Windows Event IDs:
- DriverFramework-Usermode events (10000,10001,10002,10100)
- UserPNP (20001,20002,20003)
- WPD-ClassInstaller (24576,24577,24578,24579)
Partition Diagnostic (1006)
StorSVC Diagnostic (1001,1002)
Storage ClassPnP (507)
Device Setup Manager Admin (100,101,112)
- Plug and Play detailed tracking (6416)
- Object Access Audit 4656,4663,4658,4690)
- Microsoft-Windows-DriverFrameworks-UserMode/Operational (1003,2000,200,1004, 2003,2010,2004,2006,2100,2105,2106,2101,2102, 1006,2900,2901,1008)
The collection of these event codes is made much easier through the use of the published code at github: https://github.com/tokesr/usb_investigator.
In this post, we highlight the discovery of a forensic blog post that has already progressed and furthered our own knowledge of USB forensics on Windows 10. We dont want to heavily copy and paste from Tokesr’s blog post (though we did copy the checklist aka summary for illustrative purposes).
We recommend reading their detailed post, and trying his/her Powershell scripts for yourself.