dissect.target.plugins.os.windows.regf.usb

Module Contents

Classes

UsbPlugin

Windows USB history plugin.

Functions

unpack_timestamps	Unpack relevant Windows timestamps from the provided USB registry properties subkey.
parse_device_name	Parse a registry device name into components.

Attributes

UsbRegistryRecord
USB_DEVICE_PROPERTY_KEYS
RE_DEVICE_NAME

dissect.target.plugins.os.windows.regf.usb.UsbRegistryRecord

dissect.target.plugins.os.windows.regf.usb.USB_DEVICE_PROPERTY_KEYS

dissect.target.plugins.os.windows.regf.usb.RE_DEVICE_NAME

class dissect.target.plugins.os.windows.regf.usb.UsbPlugin(target: dissect.target.Target)

Bases: dissect.target.plugin.Plugin

Windows USB history plugin.

Parses Windows registry data about attached USB devices. Does not parse EVTX EventIDs or C:\Windows\inf\setupapi(.dev).log.

To get a full picture of the USB history on a Windows machine, you should parse the relevant EventIDs using the evtx plugin. For more research on event log USB forensics, see:

• https://www.researchgate.net/publication/318514858_USB_Storage_Device_Forensics_for_Windows_10

• https://dfir.pubpub.org/pub/h78di10n/release/2

• https://www.senturean.com/posts/19_08_03_usb_storage_forensics_1/#1-system-events

Resources:

• https://hatsoffsecurity.com/2014/06/05/usb-forensics-pt-1-serial-number/

• http://www.swiftforensics.com/2013/11/windows-8-new-registry-artifacts-part-1.html

• https://www.sans.org/blog/the-truth-about-usb-device-serial-numbers/

USB_STOR = 'HKLM\\SYSTEM\\CurrentControlSet\\Enum\\USBSTOR'

PORTABLE_DEVICES = 'HKLM\\SOFTWARE\\Microsoft\\Windows Portable Devices\\Devices'

MOUNT_LETTER_MAP = 'HKLM\\SYSTEM\\MountedDevices'

USER_MOUNTS = 'HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Mountpoints2'

check_compatible() → None

Perform a compatibility check with the target.

This function should return None if the plugin is compatible with the current target (self.target). For example, check if a certain file exists. Otherwise it should raise an UnsupportedPluginError.

Raises:

UnsupportedPluginError – If the plugin could not be loaded.

usb() → Iterator[UsbRegistryRecord]

Yields information about (historically) attached USB storage devices on Windows.

Uses the registry to find information about USB storage devices that have been attached to the system. Also tries to find the past volume name and mount letters of the USB device and what user(s) interacted with them using explorer.exe.

find_volumes(serial: str) → Iterator[str]

Attempts to find mounted volume names for the given serial.

find_mounts(serial: str) → Iterator[str]

Attempts to find drive letters the given serial has been mounted on.

find_users(volume_guids: list[str]) → Iterator[str]

Attempt to find Windows users that have interacted with the given volume GUIDs.

dissect.target.plugins.os.windows.regf.usb.unpack_timestamps(usb_reg_properties: dissect.target.helpers.regutil.VirtualKey) → dict[str, int]

Unpack relevant Windows timestamps from the provided USB registry properties subkey.

Parameters:

usb_reg_properties – A registry object with USB properties.

Returns:

A dict containing parsed timestamps within passed registry object.

dissect.target.plugins.os.windows.regf.usb.parse_device_name(device_name: str) → dict[str, str]

Parse a registry device name into components.