Thursday, April 28, 2011

Using Log2Timeline with USB Device History

I just have to do a post about a benefit of using log2timeline, because this is entirely too cool.

On a recent investigation, one system had a Seagate FreeAgent Go (USB HD) attached at some point, and this showed up in USB history (from Woanware USB Device Forensics and RegRipper). However, I could not associate it with the user profile through MountPoints2 (MP2) because the USBSTOR didn't contain the Parent Prefix ID Prefix (PPID) for this device. The PPID is used in MountedDevices to identify the drive letter association and GUID; the GUID is then used in MP2 to identify the user (without the GUID you get nothing). Basically all I had was the Vendor, Product, and Version from USBSTOR, along with the connection date from DeviceClasses. As a side note, Enum\USB also did not provide the Volume ID (VID) or Product ID (PID).

At first I wasn't sure why the parsed MP2 didn't show the user association, so I went through the manual process (as detailed by SANS, Harlan Carvey, etc). This revealed what I've noted above regarding the PPID. Even though I did not necessarily need to, I also went through the setupapi.log just to confirm install date, and work the steps, as it were.

To quickly find the device in setupapi, I searched the file for "FreeAgent" using Notepad++. By clicking the "Find All in Current Document" button (as opposed to "Find Next"), I saw that there were hits in very different locations within the file. Looking more closely at these entries, I discovered that there had in fact been two Seagate FreeAgent Go drives attached to the system, more than a month apart. Well, well, well. The serial number for the second one (as logged in setupapi, which also showed the VID and PID) did show up in RegRipper's output for USBSTOR and DeviceClasses, but again that wasn't everything.

I must note at this point that until I started going through manually I hadn't spent a lot of time on RR's output, having focused on Woanware with its nicely organized text file and spreadsheet for ease of use as I had a lot of systems and not a lot of time. I had confirmed the first drive's existence, but hadn't looked to see if there were more like it. Good reminder to cross-check results, even though it may take significantly more time, depending on the amount of relevant data...

Anyway, all that said, here's the cool part with l2t. I loaded up my timeline (created by l2t's CSV output module) in Excel and went to the date/time of the initial setupapi.log entry. Sure enough, there were the install entries, just like expected. And immediately following the installation activity came the MountPoints2 key entry parsed from System Restore Point RPxxx, showing the user association. This was true for both drives in question. In addition, these historic MP2 entries showed the GUID, to help round out the analysis. Aaah, the sweet smell of forensication in the morning... ;-).

Call me a fanboy if you must, but I do like log2timeline. Thanks, Kristinn!



  1. Thanks for sharing the information,

    I tried the l2t but still can't figure out the command to create the timeline.

    Can you share with us about your experience in commanding the l2t?

    Appreciate it.

  2. FCL,
    Probably the best info source for l2t is Kristinn's site -

    It's also part of the SANS SIFT Workstation, and pretty much fully automated (see release notes, and you need a portal account) -

    Here are a few of my posts that may help you gain some insight into how l2t works -
    Keep in mind that newer versions of l2t make much of my work largely irrelevant, due to built-in automation.

    Hope that helps,