There's More!
In addition to the basic information kept by the PNP in the registry, much more specific information can often be traced.
When synchronizing a mobile device, such as a Windows Mobile-based pocket PC, ActiveSync (the main application used to synchronize Windows Mobile-based devices with desktops) leaves traces of when the synchronization was done, what was synchronized (e-mail, files, and the like), and more. This information lets anyone with access to the computer know which mobile devices were attached to that computer, as well as names, versions, and so on. If users chose to synchronize files with a device, the folder of that synchronization can be found and the files within it accessed.
Another forensic trail can be found within emerging hardware standards. Given the imminent arrival of wireless USB and wireless Firewire, for instance, Windows is trying to keep pace by delivering standard drivers to new ports.
However, before a device stack is added to the OS, different manufacturers utilize it. In other words, before Microsoft added Bluetooth support to Windows XP SP2, for example, many implementations were popular in the market. These implementations will probably be obsolete in a few years.
Bluetooth Footsteps
Other examples of device-related forensics information can be found when using different driver stacks for Bluetooth. One such driver stack comes with Windows XP SP2 and is written by Microsoft; another popular driver stack is Broadcom's Bluetooth driver stack (www.broadcom.com/products/Bluetooth). A Bluetooth device is connected to a computer with a pairing process. During that pairing process, users might be asked to enter a PIN to both the computer and the associated device. After this process, the computer can interact with the specific device as they share a link key (that is specific to this computer when talking to this device).
This link key must be kept between sessions of Windows if users want to connect to the device again. Thus, a history of all connected Bluetooth devices is kept by the Bluetooth stack implementation (usually in the registry). If adversaries have access to a link key a computer has with, say, a cell phone, they can impersonate a user's computer, stealing personal data and phone call information, or even make some calls on behalf of that user.
Note that this type of exploit is complicated and may require some administrator privileges on the local computer. The difficulty may also depend on the specific Bluetooth stack implementation.
