With data theft occurring frequently, and corporate clients needing to prove that data was stolen, it is critical that any forensics investigator worth their salt (and their salary) that they are able to undertake at least a rudimentary investigation into data theft.
When approaching a data theft investigation different areas need to be looked at, including:
- Personal Email
- Corporate Email
- USB activity
- Instant messaging
- DVD burning
- Hard drives being added
- FTP access
These areas will be covered during the course of this series, however the first area to be covered is USB activity.
When a USB drive is first connected to computer the drivers need to be installed for it to work correctly and the device registered with thecomputer. Fortunately there is a log of this activity, this log is stored in the SETUPAPI.LOG.
The SETUPAPI.LOG keeps a record of a variety of changes of the hardware to a computer, including the first time a USB drive was connected to a computer. It records information about the drivers used, the make and model of the USB drive and the PID from the USB chip, which is almost unique and can be used to trace a USB drive. The file itself is a plain text log file, and so can be copied out and then keyword searched. However, due to the volume of information involved this is not an effective method.
A freely available tool to resolve this issue is SAEX, produced by a senior forensic investigator (with both law enforcement and corporate experience). This tool is able to take a SETUPAPI.LOG file and convert it to a spreadsheet, to allow filtering. This way activity, such as USB connections, can easily be determined [the file needs to be copied out from the image first, e.g. using EnCase or FTK and then SAEX can be pointed at file].
During investigations it should be remembered that the SETUPAPI.LOG file is a system level file, and does not record what the user did what, but rather what happened to the system. Other information, such as logs, need to be used to show a particular user was logged in at a given time.
It should be noted that this log file only records when a USB device was first connected, NOT the last time it as connected (unless they are one and the same).
This can be a very important date during a forensic investigation. If, for example, an individual has been accused of data theft and on their last day of employment a series of new USB thumb drives can be seen being connected to the computer, red flags need to be raise . Equally, if the individual accused has been connecting USB drives thought their entire employment, this may show that it is is accepted within the company that people use thumb drives. Neither scenario proves or disproves guilt, but it can help build a picture of activity.
The registry, as all forensic investigators will know, is a fantastic source of information, though very complex. This article is not suitable for a highly detailed discussion of the registry. It is enough to know, at this point, that the ENUM\USB entry in the SYSTEM registry hive, stores the last time the USB drive was last connected. There can be problems with this registry date, e.g. if the computer was not turned off for several days and the USB drive was reconnected several times, or the computer was booted with the drive in, these factors can result in an older date being provided, than the last time the USB drive was actually plugged in.
Later a more detailed article on these registry dates, and which drive letter has been assigned to that USB drive, will be covered.