ITM is an open framework - Submit your contributions now.

Preparation

Archive Data

Boot Order Manipulation

CCTV Enumeration

Circumventing Security Controls

Data Obfuscation

Renaming Files or Changing File Extensions

Data Staging

Device Mounting

Email Collection

External Media Formatting

File Exploration

IT Ticketing System Exploration

Network Scanning

Physical Disk Removal

Physical Exploration

Physical Item Smuggling

Private / Incognito Browsing

Read Windows Registry

Security Software Enumeration

Social Engineering (Outbound)

Software Installation

Software or Access Request

Managerial Approval

Suspicious Web Browsing

Testing Ability to Print

ID: PR014.001
Created: 31st May 2024
Updated: 31st July 2024
Platforms: Windows, Linux, MacOS
Contributor: The ITM Team

USB Mass Storage Device Formatting

A subject formats a USB mass storage device on a target system with a file system capable of being written to by the target system.

Prevention

ID	Name	Description
PV037	Restrict Removable Disk Mounting, Group Policy	Using Group Policy on Windows it is possible to block execute, read, and write operations related to a removeable disk, such as an SD card or USB mass storage devices. In the Group Policy Editor, navigate to: `Computer Configuration -> Administrative Templates -> System -> Removable Storage Access` Open the following policies and set them all to Enabled: `Removeable Disk: Deny execute access` `Removeable Disk: Deny read access` `Removeable Disk: Deny write access`

Detection

ID	Name	Description
DT023	MountedDevices Registry Key	Located at `HKLM\SYSTEM\MountedDevices`, this registry key provides insights into the most recently mounted devices mounted to the system, such as USB drives, hard drives, and other storage devices. It records detailed information that may include; drive letter, volume GUID, and information from the USBSTOR registry key. These details can be cross-referenced with evidence in the USB and USBSTOR registry keys.
DT020	Shellbags, USB Removable Storage	Shellbags are a set of Windows registry keys that contain details about a user-viewed folder, such as its size, position, thumbnail, and timestamps. Typically Shellbag information is created for folders that have been opened and closed with Windows File Explorer and default settings adjusted. However, Shellbag information can be created under various situations across different versions of Windows. Shellbags are located in the following registry keys: Windows XP `NTUSER.DAT\Software\Microsoft\Windows\Shell\BagMRU` `NTUSER.DAT\Software\Microsoft\Windows\Shell\Bags` `NTUSER.DAT\Software\Microsoft\Windows\ShellNoRoam\BagMRU` `NTUSER.DAT\Software\Microsoft\Windows\ShellNoRoam\Bags` Windows 7 and later `NTUSER.DAT\Software\Microsoft\Windows\Shell\BagMRU` `NTUSER.DAT\Software\Microsoft\Windows\Shell\Bags` `UsrClass.dat\Local Settings\Software\Microsoft\Windows\Shell\BagMRU` `UsrClass.dat\Local Settings\Software\Microsoft\Windows\Shell\Bags` Shellbags can disclose information about USB removable storage drives that are connected to the system, disclosing the drive letter and any files that were accessed from the drive.
DT022	USB Registry Key	Located at `HKLM\SYSTEM\ControlSet001\Enum\USB`, it provides a rich information source about USB devices connected to a Windows system. The information you can typically find under this key includes; connection status, information from the USBSTOR registry key, last write time, and installation date. These details can be cross-referenced with evidence in the MountedDevices and USBSTOR registry keys.
DT021	USBSTOR Registry Key	Located at `HKLM\SYSTEM\ControlSet001\Enum\USBSTOR` in the Windows registry, it holds comprehensive details for each device connected via USB ports. This key features individual subkeys for every device connected to the system, where you can find extensive information, including; timestamps, serial number, unique ID, container ID, friendly name, device name, make, model and type. These details can be cross-referenced with evidence in the MountedDevices and USB registry keys.
DT024	Windows Event Log, DriverFrameworks-UserMode	This Event log is not enabled by default. The log file can be located at `%systemroot%\System32\winevt\Logs\Microsoft-Windows-DriverFrameworks-UserMode%4Operational.evtx`. Once a USB drive is connected, the logs will begin to populate. Each log entry includes the device ID (as registered in the system), the time it was logged, and a description of the occurrence. Event ID 2003 marks the initiation of a USB device connection. This event logs when a USB device is first recognized and connected to the system. Event IDs 2100 and 2102 track when a USB device is disconnected or a connection session ends. Event ID 2100 typically captures an intermediate disconnection, while Event ID 2102 logs the final disconnection of the USB device. By correlating the timestamps associated with the same Device ID, an investigator can determine the duration for which a USB device was connected to the system.
DT025	Windows Setupapi.dev.log	The `setupapi.dev` file, located in `%systemroot%\INF\setupAPI.dev`, is a text file that documents the details of the first time a specific device was connected to the computer. This file ensures the system has the appropriate drivers to read and access the media. Each log entry in this file begins with a section header, where the latter part includes the device ID. This file does not provide information as to when the device was unplugged or disconnected.