Friday, February 7, 2014

USB Device Tracking Batch Script

Last month, I wrote about utilizing the Windows 7 Event Log in USB device tracking.  In my previous post, I mentioned automating the process using Microsoft's Log Parser, but didn't go into much detail regarding how to do so other than a couple of Log Parser queries.  This post introduces a batch script that can be used to quickly identify USB storage devices that have been connected to and disconnected from a Windows 7 system based on information available from the Windows Event Log, specifically the Microsoft-Windows-DriverFrameworks-UserMode/Operational event log.

The Log Parser query described in my previous post identifies the connection and disconnection events associated with a given device identifier, but is limited in that it requires the user to have knowledge of the USB device identifier and must be executed for each device identifier of interest.  In many cases, an examiner will not have knowledge of the device identifier(s) that should be targeted or may be interested in a listing of connection and disconnection events within a particular time period (regardless of the device connected).  This batch script accepts a Microsoft-Windows-DriverFrameworks-UserMode/Operational event log as input and parses the connection and disconnection events associated with each unique USB device identifier, based on the connection and disconnection Event IDs described in my previous post (i.e. 2003 for connect, 2100 for disconnect).

The batch script performs three main steps:
  1. Scans the event log and generates a list of device identifiers
  2. Removes duplicate device identifiers from the list compiled in Step 1
  3. Queries the event log for connection and disconnection events associated with each unique device identifier
It may seem odd at first to remove duplicate device identifiers in Step 2, but this important step eliminates the duplicate entries that would otherwise be found in the script output and allows for quicker execution of the script (as each device identifier will be queried only once within the event log).

Example usage of evtx-usb.bat
The script output is in CSV format and may look something similar to the screenshot below.  The output includes the type of event (connect or disconnect), the device identifier, the time of the event, and the LifetimeID associated with the USB device connection session.

Sample output of evtx-usb batch script
As you can see, the screenshot above details three separate connection sessions for two different USB devices.  We know there are two separate devices because of the different device identifiers and we know there are three separate connection sessions by comparing the LifetimeID values.  For a refresher on the LifetimeID value, see my previous post.

The output of the batch script allows an examiner to easily pair connection and disconnection events using the LifetimeID value as well as quickly determine which devices may have been connected to the system at the same time by identifying different devices with the same LifetimeID.  Since the script output is in CSV format, filtering and sorting is easily accomplished using a spreadsheet editor.

Since the batch script relies on Microsoft Log Parser, you will need to download Log Parser here and ensure LogParser.exe and LogParser.dll are both in the same directory as the batch file.

The script is available for download here.

4 comments:

  1. Jason,

    Very cool approach...this is exactly what I do with LogParser to parse Windows Event Logs for inclusion in timelines; I use an event mapping file to prepend an artifact category identifier so that the timeline makes a little better sense.

    ReplyDelete
  2. Harlan,

    Thanks. Log Parser was great for this because of its flexibility and power with Log Parser functions (such as EXTRACT_TOKEN), using wildcards, and assigning dynamic column headers.

    ReplyDelete
  3. I wonder to myself could this be used to track a usb device across multiple machines, if so locating the home location and flagging potential nefarious uses - Comedyloon

    ReplyDelete
  4. Hi, you should be able to use the device identifier/serial number to track a device across multiple machines, but I'm not sure what you mean by locating the home location. Also, keep in mind that the DriverFrameworks-UserMode/Operational event log has a limited time span, as older events will roll off once the event log reaches its maximum size, so this batch script will miss connections and disconnections prior to the oldest record in the event log (although you could also run this against previous versions in VSCs).

    ReplyDelete