ITM is an open framework - Submit your contributions now.

Insider Threat Matrix™

  • ID: PR014.001
  • Created: 31st May 2024
  • Updated: 31st July 2024
  • Platforms: Windows, Linux, MacOS
  • Contributor: The ITM Team

USB Mass Storage Device Formatting

A subject formats a USB mass storage device on a target system with a file system capable of being written to by the target system.

Prevention

ID Name Description
PV037Restrict Removable Disk Mounting, Group Policy

Using Group Policy on Windows it is possible to block execute, read, and write operations related to a removeable disk, such as an SD card or USB mass storage devices.


In the Group Policy Editor, navigate to:
Computer Configuration -> Administrative Templates -> System -> Removable Storage Access

 

Open the following policies and set them all to Enabled:

Removeable Disk: Deny execute access

Removeable Disk: Deny read access

Removeable Disk: Deny write access

Detection

ID Name Description
DT023MountedDevices Registry Key

Located at HKLM\SYSTEM\MountedDevices, this registry key provides insights into the most recently mounted devices mounted to the system, such as USB drives, hard drives, and other storage devices. It records detailed information that may include; drive letter, volume GUID, and information from the USBSTOR registry key.

These details can be cross-referenced with evidence in the USB and USBSTOR registry keys.

DT020Shellbags, USB Removable Storage

Shellbags are a set of Windows registry keys that contain details about a user-viewed folder, such as its size, position, thumbnail, and timestamps. Typically Shellbag information is created for folders that have been opened and closed with Windows File Explorer and default settings adjusted. However, Shellbag information can be created under various situations across different versions of Windows.

Shellbags are located in the following registry keys:

Windows XP

NTUSER.DAT\Software\Microsoft\Windows\Shell\BagMRU
NTUSER.DAT\Software\Microsoft\Windows\Shell\Bags
NTUSER.DAT\Software\Microsoft\Windows\ShellNoRoam\BagMRU
NTUSER.DAT\Software\Microsoft\Windows\ShellNoRoam\Bags

 

Windows 7 and later

NTUSER.DAT\Software\Microsoft\Windows\Shell\BagMRU
NTUSER.DAT\Software\Microsoft\Windows\Shell\Bags
UsrClass.dat\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
UsrClass.dat\Local Settings\Software\Microsoft\Windows\Shell\Bags
 

Shellbags can disclose information about USB removable storage drives that are connected to the system, disclosing the drive letter and any files that were accessed from the drive.

DT022USB Registry Key

Located at HKLM\SYSTEM\ControlSet001\Enum\USB, it provides a rich information source about USB devices connected to a Windows system. The information you can typically find under this key includes; connection status, information from the USBSTOR registry key, last write time, and installation date.

These details can be cross-referenced with evidence in the MountedDevices and USBSTOR registry keys.

DT021USBSTOR Registry Key

Located at HKLM\SYSTEM\ControlSet001\Enum\USBSTOR in the Windows registry, it holds comprehensive details for each device connected via USB ports. This key features individual subkeys for every device connected to the system, where you can find extensive information, including; timestamps, serial number, unique ID, container ID, friendly name, device name, make, model and type.

These details can be cross-referenced with evidence in the MountedDevices and USB registry keys.

DT024Windows Event Log, DriverFrameworks-UserMode

This Event log is not enabled by default.

The log file can be located at %systemroot%\System32\winevt\Logs\Microsoft-Windows-DriverFrameworks-UserMode%4Operational.evtx.

Once a USB drive is connected, the logs will begin to populate. Each log entry includes the device ID (as registered in the system), the time it was logged, and a description of the occurrence.

Event ID 2003 marks the initiation of a USB device connection. This event logs when a USB device is first recognized and connected to the system. Event IDs 2100 and 2102 track when a USB device is disconnected or a connection session ends. Event ID 2100 typically captures an intermediate disconnection, while Event ID 2102 logs the final disconnection of the USB device. By correlating the timestamps associated with the same Device ID, an investigator can determine the duration for which a USB device was connected to the system.

DT025Windows Setupapi.dev.log

The setupapi.dev file, located in %systemroot%\INF\setupAPI.dev, is a text file that documents the details of the first time a specific device was connected to the computer. This file ensures the system has the appropriate drivers to read and access the media. Each log entry in this file begins with a section header, where the latter part includes the device ID. This file does not provide information as to when the device was unplugged or disconnected.