Channels ▼


Device Trails

Source Code Accompanies This Article. Download It Now.

There's More!

In addition to the basic information kept by the PNP in the registry, much more specific information can often be traced.

When synchronizing a mobile device, such as a Windows Mobile-based pocket PC, ActiveSync (the main application used to synchronize Windows Mobile-based devices with desktops) leaves traces of when the synchronization was done, what was synchronized (e-mail, files, and the like), and more. This information lets anyone with access to the computer know which mobile devices were attached to that computer, as well as names, versions, and so on. If users chose to synchronize files with a device, the folder of that synchronization can be found and the files within it accessed.

Another forensic trail can be found within emerging hardware standards. Given the imminent arrival of wireless USB and wireless Firewire, for instance, Windows is trying to keep pace by delivering standard drivers to new ports.

However, before a device stack is added to the OS, different manufacturers utilize it. In other words, before Microsoft added Bluetooth support to Windows XP SP2, for example, many implementations were popular in the market. These implementations will probably be obsolete in a few years.

Bluetooth Footsteps

Other examples of device-related forensics information can be found when using different driver stacks for Bluetooth. One such driver stack comes with Windows XP SP2 and is written by Microsoft; another popular driver stack is Broadcom's Bluetooth driver stack ( A Bluetooth device is connected to a computer with a pairing process. During that pairing process, users might be asked to enter a PIN to both the computer and the associated device. After this process, the computer can interact with the specific device as they share a link key (that is specific to this computer when talking to this device).

This link key must be kept between sessions of Windows if users want to connect to the device again. Thus, a history of all connected Bluetooth devices is kept by the Bluetooth stack implementation (usually in the registry). If adversaries have access to a link key a computer has with, say, a cell phone, they can impersonate a user's computer, stealing personal data and phone call information, or even make some calls on behalf of that user.

Note that this type of exploit is complicated and may require some administrator privileges on the local computer. The difficulty may also depend on the specific Bluetooth stack implementation.

Related Reading

More Insights

Currently we allow the following HTML tags in comments:

Single tags

These tags can be used alone and don't need an ending tag.

<br> Defines a single line break

<hr> Defines a horizontal line

Matching tags

These require an ending tag - e.g. <i>italic text</i>

<a> Defines an anchor

<b> Defines bold text

<big> Defines big text

<blockquote> Defines a long quotation

<caption> Defines a table caption

<cite> Defines a citation

<code> Defines computer code text

<em> Defines emphasized text

<fieldset> Defines a border around elements in a form

<h1> This is heading 1

<h2> This is heading 2

<h3> This is heading 3

<h4> This is heading 4

<h5> This is heading 5

<h6> This is heading 6

<i> Defines italic text

<p> Defines a paragraph

<pre> Defines preformatted text

<q> Defines a short quotation

<samp> Defines sample computer code text

<small> Defines small text

<span> Defines a section in a document

<s> Defines strikethrough text

<strike> Defines strikethrough text

<strong> Defines strong text

<sub> Defines subscripted text

<sup> Defines superscripted text

<u> Defines underlined text

Dr. Dobb's encourages readers to engage in spirited, healthy debate, including taking us to task. However, Dr. Dobb's moderates all comments posted to our site, and reserves the right to modify or remove any content that it determines to be derogatory, offensive, inflammatory, vulgar, irrelevant/off-topic, racist or obvious marketing or spam. Dr. Dobb's further reserves the right to disable the profile of any commenter participating in said activities.

Disqus Tips To upload an avatar photo, first complete your Disqus profile. | View the list of supported HTML tags you can use to style comments. | Please read our commenting policy.