跟踪USB存储：分析USB存储设备所产生的Windows历史记录

ß*USBX¨USBX¨¾@§„Windows†ò°Us.ÍUSBX¨Windows†ò°U¾IDsÒs(¡i¾ùaXS*USBX¨¾Ԃ*UØ Þ¥0Windowsûßöûß1ú›Æ&ٛÆ&_ð\†ò°U(ûßsíöÍ6X((¸ŵٛ†ò°Uïý«(eÆ+þÏÞ¥0Windowsû߄yš¾åùX(„î˜ÛLÖÁ2005t1/¡ý PløúH(2L;¿USB /A¸;Þ¥0¡—:û߄Í:6@Í7„¾ÇUSBÞ¥0ð¡—:òÏؗˆnM,‡ÅPŽ£›ï é„
ïû¨„X¨Ë(ÙÅìƄUØØìp
ø:
*º’S­håÊ*ņ„X¨¾ԂŠìpWX¨zôŒvƒy„^ëÙÍX¨Ë(:(7ë¤b‡öЛ†M@* „¿)ÑàtÙ;„÷¯ÂÌF/vX¨Æ¦t ˆ'„ÐØÙÍX¨¾(Ù(7&e¹¿„ö_&e†ïýƄ‰hÎiy+/(
¯ƒ-Ù͹Ï'Sï„X¨¾:}ŒƒÖ'ϐÁŒO„áoЛ†©¤Ƅ3.5ñøoØ}6ˆ¹Ï(c„ã‹ÌFƒêýX¨1.44MB„pn*å 1GBóô'X¨zô„UØï刹„Ïwevï幗t*pn“¸p
ø:(Windowsûß-«(\ƄX¨’Sv Ø&ØïåÏUØ7(:†Ð›Î*ûß-lûpn„¹ÕUSBX¨¾ïåèã
“e0æ„×ݤ„ûßQÜ(P6†Ï2k™ŒeµÀKûßI¹L2¡H‡„ŵÈï(7‚œ(†*ÏÀå*«Ñ§„USBX¨¾öv„ã
ïý(à-åvƒ¹eS*USBX¨¾Þ¥0*WindowsûßöÙ*û߄q¨h6ÆÙ*¾„áo6ƒ)(ٛáo(Ù*ûßúË*ì˄†ò°UÙ*áo«úX(Ù*ûß-'pŵ(vƒ„WindowsûßÙ*áo_/7„ٛ†ò°UïåöíÞ¥(Ù*û߄USBX¨¾„(öô¿ØïåÁÙ*¾þÞ¥0vƒ„WindowsûßÙ*áoïå(eÛeÛL¡—:ÖÁåv°UeÙLJ਺„7‹Í\ûß/WindowsXPv'è„áo_(ŽWindows2000Œ2003ºðèŒh°US*X¨¾ÇUSB¥ãÞ¥0*WindowsûßöÍ\ûß1Ñ°Ù*°lö„D áovøs„q¨h1ûBÙ*¾„nÏð&[1]ånš¾„6F
H,÷
¾Í{åÊvƒáo‚œUSBÆ¿hq¨Ñ°*°„USB¾Þ¥0Ù*ûßûß1ÕþbÙ*¾„nÏð&úŽÎÙ*¾b„Ïð&Windows1 g‚ú¾ž‹Æ&¾ID [2]USB\VID_v(4)&PID_d(4)&REV_r(4)¾ID-@H°ú„pô¥Öê¾Ïð&[3]v(4)/¾Ïð&-idVendor߄*ÛúŽUSB¥ã„HID¾¥ã¾¡·º‡ûÑ2M›”Fã
d(4)/idProductß-„*ÛM§Áã
r(4)/*ÛM„H,ã
Windows_ξÏð-ÐÖ{+
bDeviceClassß
P{+
bDeviceSublassß ŒO®
bDeviceProtocolß å¿ú|¹„¾Ïð&|¹ID U‚œóÙÍÏð&„‹Pïå(USBX¨¾Þ¥(ûßöS¾¡h((2L;¿§6h éù”„¾ԂUSBMassStorageDevice 6óûvÎÉÜU- é^' éæÆáo~6ÎÉU 龋ID
löID|¹IDø”„1:(æÆáoÙ„‡,F-‚þ1@:sÒs(¡h1¿îèŒhåšMsÒs(¾„inf‡öÙ*èŒh./HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersionTH1/DevicePath„Ù*„pn{‹:REG_EXPAND_SZ1/Ù*pnïå *ï„(ؤŵÙ*ï„WindowsûßîU„INF‡ö9_1/%SYSTEMROOT%\Inf sÒs(¡h9n¾‹IDŒ|¹IDû~¾ï„èŒh.-@ú„ø”q¨„ï„6(000xFFFFKôùÑ°„q¨ÛL’[4]÷N„q¨1«‰ÅsÅ}usbstor.inf‡ön0ú†Í\ûß@/
„¾ID‚œÎ¾Ïð&-@·Ö„Ïð&usbstor.inf‡ö-„ûU*ø9MÍ\ûß1Å}usbstor.sysq¨[5]æq¨«Å}ûß1:Ï*¾;‘UCú*°„i¾ùasPDOPDO„‚USBSTOR\v(8)p(16)r(4)(PDO-v(8)/*8MW&„›”FÆ&p(16)/*16MW&„§ÁÆ&r(4)/*4MW&„H,§+Ǿ¡hå¾ID1Ñ° æ„12MD (¾IDb‚@ð Ù/¾„÷¾„¾Ïð&+*ëZiSerialNumber„Ù1/+ ¾÷„W&2„‚œiSerialNumber„/0x00£HÙ*¾1¡ ÷&ƒ„1/ïå«~0„ãh¾÷„W&2„[6]Ù*÷ùÙ*¾eô/ì „v/(ŽÆ+ûß-¾„ìy¹ÕÙ*÷(vƒ„Windowsûß-_/Æ+¾„ìy¹Õèþ1¾^'„æÆáo~-:¾‹IDþ2ÇUVCViewå0„÷ß*USBX¨USBX¨h@§„Windows†ò°U30ùŽÏ*USB„æÆÏð÷v/Å{+ „Ù¹ˆÍsŽÙ¹b„vƒî˜(ôè\ñe¢¨(USBÞ¥„X¨¾„÷ïå(UVCView[7]åwåÙ*åwïåÎMS—0þ2:†ÇUVCViewå0„*(USBÞ¥„X¨¾„÷¡ ÷„¾(,Œ*&W&bK12MW&æÆô‚UúÙ*Æ&„‡ö/àÕΛ”F£Ì·—„F/žŒŒÏŒhp,Œ*W&_/&v„¾@Þ¥„USBïãù”¾‹ID[8]/1sÒs(¡h„v@*lö@Òe„*USBÆ¿hïã„Øæ¾Þ¥v(7òÏ¿î†Ù*X¨¾Þ¥„Õùs†ò°U1(èŒhŒ‡öûß-h°úeìsè„,*èŒh.1/HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\USB(Ù*èŒh.bØ û„P.Ï*ýŒKMËÍDŽ¾ID ø„sUSB\VID_v(4)&PID_d(4)&REV_r(4) ٛ¾ID„Ï*P.ý *ô„P.ٛý/þÞ¥0ÇÙ*û߄¾„‹IDìsè„,Œ*èŒh./HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\USBStor(HKLM\..\Enum\USBStor.K„P.ŒUSB.K„¾IDP. ø„F/ÙÍAmÛ6„ï嫺ìïåû„pÿb,ŵ(USBStor. ô„P.à:ƒwS0USB'¹ÏX¨¾USB./:(USBÞ¥„¾¾„1ÏUSBP.7(USBStor.„¾IDP.K_ *óô„‹IDP.ƒãh†Ï*þÞ¥0Ù*û߄¾þ3Ùú†ù”„èŒh.„7‹:†*¾„USBŒUSBStor.„eãèŒh *«ð\™eöôvƒìøs„Ù*Œî9öôøÑvŒ‡ö sà:ƒåÐ͹h:†èŒh.!î9„öôS:†Í7„åâèŒh.ö9nUSBX¨¾ s„(7L:Ù*.„î9öôïå(e°Uèöô¿þ3ÆUSBX¨¾„èŒheã7‹úŽUSB¥ã„HID¾¥ã¾¡·º‡ûÑ4+& q¨Ø&„USBX¨¾ïåÇå‚èŒh.„èŒh0HKEY_LOCAL_MACHINE\SYSTEM\MountedDevices\:†nšÙ*USBX¨¾«M†ê*q¨Ø&ìÅ{ÎUSBSTOR„¾èŒh.„ParentIDPrefix-Öúì)(þ3-¾„8&2713a8a1&0\:*‹PèŒh.HKLM\System\MountedDevicesÁþ4 ô¤@‰Å¡h8E„ðpn“[9]Ù*.„1û„wðå\??\Volume{GUID}\„X( Œq¨Ø&(\DosDevices\C:h: ĉŹ_ïý+(…(‚h:\DosDevices\driveletter:\mountpoint Ï*ÙÍ&÷þ¥ý4 y „wÆ&Œy „wð÷Æ ÙÍy „IDA¸ûßÆ+›h:*w„&÷þ¥ٛy „ID+†ParentIDPrefix„@ ٛP.„ýåŒÛ6„bX¨Ù*ŒÛ6pnsREG_BINARYpn{‹ „p¹35M/wSP. s„X¨¾„ParentIDPrefix‚þ5„OU*þ@:Ù*áoïå(ewS„USBX¨¾0Mك„q¨Ø&þ6‹ô†/USBStor.v¾„Perl,„“úPerl,/ŽUSBStorèŒh.vúÏ*Œ¾IDøô„P.Ù*,:†& ™eöô„¾ID1/.ó¹ì÷-@:„…¹Ù*,ù¾ID.K„Ï*‹ID.Zúø„æØ:úDeviceDescr„(ٛ°a„Ìþ4‰Å¾„èŒh.þ5Ø®:ParentIDPrefix„‰Å¾pnß*USBX¨USBX¨h@§„Windows†ò°U5Ù*,ÎÏ*‹IDP.-6ÆParentIDPrefix„pn6vè:‰Å¾.„…¹v)(„H6Æ0„ParentIDPrefix(USBÞ¥„X¨¾0MÙÙ*¾„q¨Ø&6q¨Ø&„Mv//„Mbþ6@„‹P/2005t45åŒ6Æ0„÷/0738015025AC„USBX¨¾/(£)Þ¥0KÕû߄vM„Ø&/D:6èŒh.-„™eöôv¡ ‚M@ð„£7͔ùq¨Ø&„Í\÷:9487B4B0401DB6B5„USBX¨¾Þ¥0ûßvÍ°ÐLusbkeys.pl„Perl,§†þ7@:„“úè‰Å¾.òÏô°1ÏòÏ9dž„4Ù*.„™eöôMounted-Devicesó¹„ì÷- @í:„£7°¾q¨Ø&„Í°Mw†™eöô„ô°)(ٛáoÀåX1ïå)(vƒû߄†ò°U‹‚ѿcŒLNK‡ö eôñe0†ãyš„USBX¨¾„(þ7usbkeys.pl„Perl,“ú7‹þ6usbkeys.pl„Perl,“ú7‹úŽUSB¥ã„HID¾¥ã¾¡·º‡ûÑ6‡öû߄†ò°UÎMbÐʄèŒh.-üú„áoïåÇùÎ%SYSTEMROOT%ÆXP‰Å/(C:\WINDOWS Ì~0„setupapi.log[10]‡ö„K՗0 :Ù*‡öøSæÆ0°U†q¨
¡Œíîe
„‰Åb/êsetupapi.log‡ö„è[2005/03/3007:13:591172.19DriverInstall]#-019c(å~löID(s):usbstor\diskwd_fl