Preparation
Archive Data
Boot Order Manipulation
CCTV Enumeration
Circumventing Security Controls
Data Obfuscation
Data Staging
Device Mounting
Email Collection
External Media Formatting
File Exploration
IT Ticketing System Exploration
Network Scanning
Physical Disk Removal
Physical Exploration
Physical Item Smuggling
Private / Incognito Browsing
Read Windows Registry
Security Software Enumeration
Social Engineering (Outbound)
Software Installation
- Installing Browser Extensions
- Installing Browsers
- Installing Cloud Storage Applications
- Installing FTP Clients
- Installing Messenger Applications
- Installing Note-Taking Applications
- Installing RDP Clients
- Installing Screen Sharing Software
- Installing SSH Clients
- Installing Virtual Machines
- Installing VPN Applications
Software or Access Request
Suspicious Web Browsing
Testing Ability to Print
- ID: PR014.001
- Created: 31st May 2024
- Updated: 31st July 2024
- Platforms: Windows, Linux, MacOS
- Contributor: The ITM Team
USB Mass Storage Device Formatting
A subject formats a USB mass storage device on a target system with a file system capable of being written to by the target system.
Prevention
ID | Name | Description |
---|---|---|
PV037 | Restrict Removable Disk Mounting, Group Policy | Using Group Policy on Windows it is possible to block execute, read, and write operations related to a removeable disk, such as an SD card or USB mass storage devices.
Open the following policies and set them all to Enabled:
|
Detection
ID | Name | Description |
---|---|---|
DT023 | MountedDevices Registry Key | Located at These details can be cross-referenced with evidence in the USB and USBSTOR registry keys. |
DT020 | Shellbags, USB Removable Storage | Shellbags are a set of Windows registry keys that contain details about a user-viewed folder, such as its size, position, thumbnail, and timestamps. Typically Shellbag information is created for folders that have been opened and closed with Windows File Explorer and default settings adjusted. However, Shellbag information can be created under various situations across different versions of Windows.
Windows 7 and later
Shellbags can disclose information about USB removable storage drives that are connected to the system, disclosing the drive letter and any files that were accessed from the drive. |
DT022 | USB Registry Key | Located at These details can be cross-referenced with evidence in the MountedDevices and USBSTOR registry keys. |
DT021 | USBSTOR Registry Key | Located at These details can be cross-referenced with evidence in the MountedDevices and USB registry keys. |
DT024 | Windows Event Log, DriverFrameworks-UserMode | This Event log is not enabled by default. The log file can be located at Once a USB drive is connected, the logs will begin to populate. Each log entry includes the device ID (as registered in the system), the time it was logged, and a description of the occurrence. Event ID 2003 marks the initiation of a USB device connection. This event logs when a USB device is first recognized and connected to the system. Event IDs 2100 and 2102 track when a USB device is disconnected or a connection session ends. Event ID 2100 typically captures an intermediate disconnection, while Event ID 2102 logs the final disconnection of the USB device. By correlating the timestamps associated with the same Device ID, an investigator can determine the duration for which a USB device was connected to the system. |
DT025 | Windows Setupapi.dev.log | The |