Tackling the U3 trend with computer forensics

digital investigation 4 (2007) 7–12

available at www.sciencedirect.com

journal homepage: www.elsevier.com/locate/diin

Tackling the U3 trend with computer forensics Andy Spruilla, Chris Pavanb,* a

Professional Services, Guidance Software, Inc. Guidance Software, Inc.

b

abstract Keywords:

A new technology has emerged, allowing applications to be stored and run on portable

U3

devices, such as flash drives and iPods. Sandisk’s U3 smart technology appears to be

Computer forensics

becoming the standard in this new realm of portability. With the advent of this technology,

Smart technology

questions are arising as to the effects it will have on computer forensic investigations.

Thumb drives

Probably hundreds of thousands of people have purchased devices with U3 or similar

Flash drives

technologies already. The fear is that these people will be able to plug their devices into

Digital investigations

computers, do their misdeeds and then simply unplug those devices, removing any trace. This article will illustrate that this is not the case and will discuss different artifacts that a device such as this will leave behind. For the purposes of this illustration we have investigated the use of some of the most common applications used on U3 drives. This information will serve as a guide to investigating computer crimes perpetrated via U3 or similar technologies. Investigators must keep in mind during their investigations the possibility that their suspects have used such technology, particularly when their investigations seem to lead to a dead end. ª 2007 Elsevier Ltd. All rights reserved.

1.

Introduction

In the world of Digital Investigations we are constantly striving to keep up with technology. The U3 smart technology is our latest challenge. Digital Investigations these days almost always involve a thumb drive, because individuals have the capability to introduce and remove files from a computer with relative ease. A thumb drive with U3 technology affords a user the ability to not only carry their files but their applications as well, without installing them on the host computer. This portability makes the task of investigating an incident much more difficult. In the past, if a user emailed a file via webmail, a cached webpage showing the name of the file attached could be found on the hard drive. If a user was to use Firefox from their U3 thumb drive, the cache would be gone as soon as the user ejected and removed the drive.

This absence of data is alarming and creates several new challenges for an examiner. Typically in a corporate networking environment, users are not allowed to install their own applications for multiple reasons. The first and most obvious reason is security. Applications may be vulnerable and could cause a network to be compromised. U3 technology is able to circumvent an organization’s current security, allowing employees to use their own applications without actually installing them on the organization’s computer. This capability enables an individual to remove or transmit intellectual property (IP), and all of the forensic artifacts related to the IP, which would normally be found on the computer, would now be found only on the thumb drive. U3 also poses a problem for law enforcement. When investigating a crime, all of the prosecutable evidence may only be found on the U3 device. An all too familiar example is a child

* Corresponding author. E-mail address: [email protected] (C. Pavan). 1742-2876/$ – see front matter ª 2007 Elsevier Ltd. All rights reserved. doi:10.1016/j.diin.2006.12.001

8

digital investigation 4 (2007) 7–12

pornography case. By using a mail client that is installed on the U3 device, the suspect can easily take their images and movies with them. The suspect would also have the ability to download files without having to set up applications on the computer being used. Instant messenger clients also afford the suspect the ability to communicate and trade content. Although these devices may not leave a ‘‘smoking gun’’ on the host computer, they will leave behind a trail of forensic artifacts that can lead an investigator to the U3 device for further examination. Examining the use of a U3 device is no different than examining the use of a normal thumb drive, with the exception of some additional artifacts left behind by the applications installed on the device which will be discussed later. There are several manufacturers that make U3 devices which can be found at a local computer or electronics store for under $100, making these devices readily available to the public. For the purposes of this article, a Memorex 2 GB

Mini TravelDrive with U3 smart technology was used, which retails for about $85.

2. The four most popular applications available for download 1. Firefox, a free, extremely versatile (open source) web browser. 2. Thunderbird, a free, extremely versatile (open source) email client. 3. Trillian, a multi-protocol Instant Messenger client. 4. Skype, a Voice Over IP application (allows calls to a standard phone). All four of these applications are free to download and, in most cases, come preinstalled on the U3 device.

3.

Device behavior

Any time a device is connected to a computer running the Windows XP operating system, multiple entries are made in the registry. The entries are necessary for the device to function. This is where an investigator can determine the vendor name, product name and product type of the U3 device he or she will need to obtain to further their investigation. When the U3 device was inserted into the computer the device presented itself as two separate devices. The first device is a CDROM drive labeled ‘‘U3 System Files’’ which contains the file necessary to run the U3 application. If autorun is enabled on the computer, then the U3 application automatically runs. This is standard across all U3 devices. The partition that the U3 device presents as the CDROM can be removed by the user.

The hardware ID for the CDROM in the registry is located here: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\ USBSTOR\CdRom&Ven_Memorex&Prod_Mini_TravelDrive& Rev_6.50\0CF0C86102B0990B&1

Name: Type: Data:

HardwareID REG_MULTI_SZ USBSTOR\CdRomMemorex_Mini_TravelDrive6.50 USBSTOR\CdRomMemorex_Mini TravelDrive USBSTOR\CdRomMemorex_ USBSTOR\Memorex_Mini_TravelDrive6 Memorex_Mini_TravelDrive6 USBSTOR\GenCdRom GenCdRom

The second device that is presented by the U3 device is the storage partition of the device. All of the user’s documents, as

digital investigation 4 (2007) 7–12

9

well as the applications compatible with the U3 technology, are stored and executed from here.

The hardware ID for the removable drive in the registry is located here: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\ USBSTOR\Disk&Ven_Memorex&Prod_Mini_TravelDrive&Rev_ 6.50\0CF0C86102B0990B&0

Name: Type: Data:

HardwareID REG_MULTI_SZ USBSTOR\DiskMemorex_Mini_TravelDrive6.50 USBSTOR\DiskMemorex_Mini_TravelDrive USBSTOR\DiskMemorex_ USBSTOR\Memorex_Mini_TravelDrive6 Memorex_Mini_TravelDrive6 USBSTOR\GenDisk GenDisk

4. Artifacts left behind by U3 smart technology 4.1.

Once the LaunchPad application is up and running, a ‘‘U3’’ icon appears in the task manager. By clicking on the ‘‘U3’’ icon a pop-up menu that displays the applications installed on the device appears. The following is a preview of the menu that pops up from the task manager once the device is inserted and the launchpad.exe application is running.

Link files

When the ‘‘Explore U3 Drive’’ option is selected a link file is created in the ‘‘Recent’’ folder of the logged-in user’s profile. In

10

digital investigation 4 (2007) 7–12

this case EnCase V5 was used to parse the link file revealing the following: Link file: Created date: Last written date: Last accessed date: Volume label: Media type: Volume serial: Base path:

C\Documents and Settings\JQP\Recent\U3Shortcut.lnk 10/13/06 10:00:41AM 10/13/06 10:00:42AM 10/13/06 12:00:00AM TravelDrive Removable D1 EC 1C 86 F:\Documents\U3Shortcut

This artifact demonstrates that file system browsing, to include browsing the files on the U3 device, relies on Windows XP’s built-in file explorer. Because the U3 application is not managing access to the file system, one should expect to find all of the normal Windows artifacts, such as link files. The typical habit of a Windows user is to ‘‘double click’’ files that they would like to access. This will cause a link file to be created on the host computer.

4.2.

Files and folders

A folder is installed under the profile of the user that is logged in at the time the U3 device is inserted and the ‘‘LaunchPad’’ application is executed. When applications are run from the ‘‘LaunchPad’’ menu, files necessary for operation are copied into the associated folder. As a part of the U3 technology, all applications remove remnants left behind. In the example below, after Firefox was executed from the ‘‘LaunchPad’’ menu, several executables were created on the local computer.

Once the U3 device was ejected via the ‘‘LaunchPad’’ menu, the above folder structure was almost entirely deleted. The ‘‘U3’’ folder remained with a subfolder named ‘‘temp’’. Inside that folder remained a single executable named ‘‘cleanup.exe’’. The presence of this folder on a system

provides evidence that a U3 thumb drive was inserted. Utilizing a computer forensic tool such as the EnCase forensic tool, one is able to recover the above structure to further determine which applications have actually been used. The forensic tool will parse the orphaned MFT entries, in which you will find folders containing the data that the U3 application copies to the computer’s hard drive during start-up. These folders are named with universal unique identifiers (UUIDs) and are also found on the U3 device itself. These unique identifiers are created upon launching an application from the U3 device. If one can obtain the device, one can match the application folder’s UUID to the UUID of the folder on the actual U3 device that was used. This is a more conclusive method of proving a specific U3 device was used. If the user happens to update the application between the time it was used and the time of seizure, the hash values for the executables will not match. Therefore, hash value comparison is not the best method. Within the UUID folders, there are ‘‘Manifest’’ folders which will contain typically two files. The first file is mandatory, and that is the ‘‘manifest.u3i’’ file. This xml file describes the executable, including the application name, vendor URL and any parameters required for the application to be used. The appearance of the manifest folder alone only indicates that the application was installed on the U3 device. The second file is an icon file for the particular application. When a program is actually executed from the U3 drive, a new folder named ‘‘Exec’’ is created under the UUID folder. All executable files required to run the application appear in

this ‘‘Exec’’ folder. In some cases, the ‘‘Exec’’ folder will also contain configuration files necessary for the operation of the program, such as registry keys and .dat files. For example Skype only leaves behind executables, whereas Firefox leaves several different registry keys.

digital investigation 4 (2007) 7–12

4.3.

11

Prefetch files

After one determines that an application has been run via the U3 drive, one can further establish use of the application by examining the prefetch folders. When the device is removed from the system it does not clean up the ‘‘prefetch’’ folder, instead it leaves behind additional prefetch files which further demonstrate that a U3 device was

inserted into the system. Prefetch files are created by the Windows XP operating system in order to help speed up the execution and performance of applications. Prefetch files can be examined to determine a time frame for the use of U3 applications. For example, the ‘‘Last Written’’ date on the ‘‘cleanup.exe’’ prefetch file would indicate when the U3 device was ejected via the U3 application.

12

digital investigation 4 (2007) 7–12

Even though a U3 device has been used and the actual data did not rest on the hard drive of the computer, there are plenty of artifacts left behind that demonstrate the insertion and use of the device. Once a U3 device has been identified as having been used and physical control of the device has been obtained, you may encounter one very notable obstacle. If password protection has been enabled on the device, no current technology exists that will allow you to circumvent this security feature. If the password is set on the U3 device, it will not present the storage partition to the computer. If you are not able to get the password from the owner (i.e. they are deceased or will just not give it up) you will have to find another way of getting past the security. Best practices in this scenario would be to crack other passwords on the suspect’s computers systems (i.e. LM Hash) and try those. Future development may lead to an application vulnerability or a way to brute-force the password. As the forensic community begins to encounter these devices, different techniques and methodologies will be developed for examining the data contained on them. Sandisk’s website includes product copy that states the following: ‘‘PuTTY for U3 is fully U3 certified and is compatible with all current U3 enabled smart drives. What does

this mean to you? Well, you can now bring your telnet/ ssh client with you on the go, save your sessions (username/passwords, hostnames, encryption keys, display settings, etc.) directly to your U3 smart drive. When you unplug your smart drive or exit your Launchpad, *poof* you were never there!’’

That is quite an alluring claim. Unfortunately for any wrongdoers, it is not true. First of all, if the user just unplugs the thumb drive without ejecting via the LaunchPad, all data will remain; ‘‘cleanup.exe’’ will not run. In the case of Putty being used, all of the saved session information (i.e. server address, protocol, and password) will be left behind in the registry. Even if the drive is ejected properly, investigators will know if someone was there, and they will know exactly which applications were used. Through proper investigative techniques, this information can be used to tie the use of these applications to the suspects, warranting the seizure and analysis of the device. The trail of evidence can be followed throughout the suspect’s digital life. The U3 device is merely a bridge between the computers the suspect is using. There will be evidence of that device and the suspect’s actions on every digital storage medium he or she has accessed.