Eng Tha
USB Forensic Tracker
USB Forensic Tracker (USBFT) เป็นเครื่องมือที่ช่วยในการตรวจพิสูจน์หลักฐานจากอุปกรณ์ USB โดยจะดึงรายละเอียดต่างๆของการเชื่อมต่ออุปกรณ์ USB ทั้งจากอุปกรณ์ที่กำลังทำงานอยู่ (Live system) จากสำเนาข้อมูลที่ถูกคัดลอกโดยวิธีการทางนิติคอมพิวเตอร์ (forensic images)หรือ ไฟล์ข้อมูลของระบบที่ได้จากระบบปฏิบัติการ OSX เช่น เวลาที่เชื่อมต่อ USB หรือเวลาที่เอา USB ออก เป็นต้น รายละเอียดที่ได้จะแสดงในรูปแบบของตาราง และสามารถบันทึกเป็นไฟล์ excel

USBFT now has the ability to do the following:

  • Mount forensic images and volume shadow copies.
  • Display information about previously mounted TrueCrypt and VeraCrypt volumes.
  • Display information about files accessed from USB devices and link the files to specific USB devices.

USBFT extracts information from the following locations:

  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceClasses
  • HKEY_USERS\SID\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Portable Devices
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Search\VolumeInfoCache
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ Windows NT\CurrentVersion\EMDMgmt
  • C:\Windows\System32\winevt\Logs\Microsoft-Windows-DriverFrameworks-UserMode%4Operational.evtx (Windows 7)
  • C:\Windows\System32\winevt\Logs\Microsoft-Windows-Storage-ClassPnP/Operational.evtx 
  • C:\Windows\System32\winevt\Logs\Microsoft-Windows-WPD-MTPClassDriver/Operational.evtx
  • C:\Windows\System32\winevt\Logs\Microsoft-Windows-Partition%4Diagnostic.evtx
  • C:\Windows\System32\winevt\Logs\Microsoft-Windows-Ntfs%4Operational.evtx
  • C:\Windows\INF\setupapi.dev.log
  • C:\Windows\INF\ setupapi.dev.yyyymmdd_hhmmss.log
  • C:\Windows\setupapi.log
  • “Windows.old” folder
  • Volume Shadow Copies
  • C:\Users\<user account>\AppData\Roaming\Microsoft\ Windows\ Recent\ <Lnk files>

    Mac OSX (tested on OSX 10.6.8 and 10.10.3)
  • /private/var/log/kernel.log
  • /private/var/log/kernel.log.incrementalnumber.bz2
  • /private/var/log/system.log
  • /private/var/log/system.log.incrementalnumber.gz
    Linux (tested on Ubuntu 17.04)
  • /var/log/syslog

USBFT requires Net Framework 4.5 to be installed on the system.

A 32bit and 64 bit version of USB Forensic Tracker is included in the download. If you run the 32 bit version on a 64 bit machine, USBFT will not display the results for the Event Log artefacts or for HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Portable Devices.

From the “Help” menu the user can check for updates.

This utility is released as freeware. You are allowed to freely distribute this program via any method, as long as you don't charge anything for this. If you distribute this utility, you must include all files in the distribution package, without any modification!

Icons by Everaldo Coelho from the Crystal project are used; these are released under the LGPL license.

Imager Mounter – a special thanks to Mark Spencer president of Arsenal Recon who has very kindly granted me permission to incorporate Arsenal Image Mounter (AIM) within USBFT. https://arsenalrecon.com/weapons/image-mounter/

The software is provided "AS IS" without any warranty, either expressed or implied, including, but not limited to, the implied warranties of merchantability and fitness for a particular purpose. The author will not be liable for any special, incidental, consequential or indirect damages due to loss of data or any other reason.

Version 1.1.3 August 2018
1) Fixed bug in the WPDBUSENUM tab where the time was not changing to UTC when selected by the user.
2) Changed the code so USBFT no longer processes the setupapi.upgrade.log file in order to avoid confusion between user generated times and dates and system generated times and dates.
3) In WPD tab changed code so if there is no description for the USB device it will not display any data in the serial column.
4) Merged the Description and MFG columns within the WPD tab into a single Description column in order to keep the same description format as the other tabs
5) USBFT will now operate correctly when selecting the custom folder option when the folder path has spaces within it.

Version 1.1.2 July 2018
1) Added 3 new columns to the “Win 10 Event Log” tab
 a. Volume Serial Number
 b. Volume GUID
 c. Drive Letter
2) USBFT now extracts information from the “Microsoft-Windows-Partition%4Diagnostic.evtx” log (including volume serial number)
3) USBFT now extracts information from the “Microsoft-Windows-Ntfs%4Operational” log
4) Added horizontal scroll bars to all tab views
5) Added word wrap to all columns
6) Minor changes to code

Version 1.1.1 June 2018
1) Added a new information tab to the UI (Accessed Files).
2) USBFT now extracts information about files accessed from USB devices and link the files to specific USB devices.
3) Made some minor changes to code.

Version 1.1.0 May 2018
1) Fixed a bug in code so USBFT now correctly extracts USB artefacts from the C:\Windows\INF\setupapi.upgrade.log file.
2) USBFT now extracts information about mounted TrueCrypt and VeraCrypt volumes. The information can be found under the “Registry-Mounted Devices” tab.
3) Fixed a bug in code so when wishing to export results from multiple mounted images to Excel, you no longer have to close and reopen USBFT between exports.

Version 1.0.9 February 2018
1) USBFT now extracts USB artefacts from the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ Windows NT\CurrentVersion\EMDMgmt

Version 1.0.8 October 2017
1)USBFT now extracts USB artefacts from C:\Windows\INF\ setupapi.dev.yyyymmdd_hhmmss.log
2)USBFT now extracts USB artefacts from C:\Windows\INF\setupapi.upgrade.log
3)Added a RecordID column to the Win10 Event Log tab
4)Added a RecordID column to the Win 7 Event Log tab
5)Added the ability to mount forensic images
6)Added the ability to extract volume shadow copy information
7)Added the ability to extract USB artefacts from mounted volume shadow copies
8)Added the option to enable debugging.
9)Added a view debug log button
10)Added a delete debug log button
11)Made improvements to the code to make it more reliable and to support debugging
12)Updated Help file.

Version 1.0.7 August 2017
1) USBFT now supports the extraction of USB artefacts from Linux (Ubuntu) syslog files
2) Added styling and formatting to the Excel report

Version 1.0.6 August 2017
1.)USBFT now extracts data from the registry  key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\SWD\WPDBUSENUM
2.)Setupapi Log – changed the name of the “Connection Date” column to “Device Install Date
3.)Added a new column called “Device Delete Date”. USBFT extracts the time and date when the device drivers are installed for a USB device (typically the first time it is connected).
4.USBFT now displays the time and date when the Windows Plug and Play Cleanup service deletes the drivers for a USB device and deletes the entries for the device from the registry. The time and date is displayed in the “Device Delete Date” column.

Version 1.0.5 July 2017
1)Changed the project over from Windows Forms to WPF MVVM to make it easier to maintain and update in the future.
2)Made major changes to the code throughout the project to accommodate the new format.
3) Added the ability to process a custom folder that contains the extracted Windows registry files, Windows logs and NTUser.dat files
4)Added the ability to extract USB artefacts from the “Windows.old” folder.
5)Added the ability to extract USB artefacts from HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Search\VolumeInfoCache
6)Added the ability for a user to extract the serial number of a USB device connected to the system.
7)Made changes to the title of the Win7 and Win10 Event Log tabs.
8)Added an EventID column to the Windows7 Event Log data grid and the Win10 Event Log data grid.
9)Removed the checkbox column from the data grids.
10)Removed the filter button from the menu (used to filter checked files).
11)Removed the Reload button ( now redundant)
12)Under Options => Export Options, added the ability for the user to select which data grids will be exported to the excel spreadsheet.
13)Combined all the DLL’s with the exe to make a single exe file for ease of deployment.

Version 1.0.3 November 2015
1) Added additional support for Mac OSX files. USBFT will now also process kernel.log and kernel.log.incrementalnumber.bz2 files
2) Modified code for USBSTOR section. For devices such as multi card readers that show as multiple drives with different drive letters but the same serial number, USBFT will now correctly display all of the drive letters.
3) Renamed the “Last Connection Date” column in the Device Classes section to “Connection Date”

Version 1.0.2 November 2015
1) Added the ability to extract USB artefacts from mounted forensic images.
2) Added the ability to extract USB artefacts from Mac OSX system files.
3) Made changes to code relating to obtaining the last modified date of registry keys.
4) Other minor changes made to some of the code to make more robust.

If you have any feedback please email us at forensictools@orionforensics.com

USB Forensic Tracker v1.1.3
บริษัท โอไร้อัน อินเว็สทิเกชั่น จำกัด
ห้อง 2001-2002 ชั้น 20 อาคารบางกอกบิสิเนส เซ็นเตอร์
29 สุขุมวิท 63 แขวงคลองตันเหนือ เขตวัฒนา กรุงเทพฯ 10110 ประเทศไทย
โทร : +66-2-7143801 ถึง 3 แฟ็กซ์ : +66 (0) 2 714 3804
อีเมล : hi-tech@orioninv.co.th หรือ forensics@orionforensics.com
A Member Of