Gathering Information Remotely
There are numerous methods to gather the information we've discussed. If you have physical access to a computer, you can use the registry editor included in Windows or tools that read this information from the local registry.
You might choose to utilize a tool (such as Safend Protector) that gathers information on all connected devices and sends a log to a central repository. The tool enforces an organization's policy and records all users' activities regarding external and internal device operations.
If an administrator needs to gather device forensics information without running special code on the scanned computer and does not want to approach each machine physically, services can be used that run by default on the OS. Such services include the remote registry service, file/print sharing, and the RPC service. To interact with the scanned computer, a few subsets of Windows API can be used.
One such subset is the Setup API. Among other capabilities, this API can investigate devices on a local/remote computer, disable/enable devices, and install device drivers for those devices. A security tool can use this API to remotely access the PNP manager on the scanned computer and receive a list of all devices that were ever plugged in; see Example 1.
// Get access to all USB devices on remote machine
HDEVINFO deviceClassInfo =
SetupDiGetClassDevsEx(NULL, "USB", 0,
DIGCF_ALLCLASSES,0, "192.168.24.81", NULL);
SP_DEVINFO_DATA deviceData;
char buffer[BUFFER_SIZE];
int index=0;
// Enumerate devices
while (SetupDiEnumDeviceInfo(deviceClassInfo,index,&deviceData))
{
// Get device's Hardware ID into buffer. An example
// for information that can be gathered
SetupDiGetDeviceRegistryPropertyW(deviceClassInfo, deviceData,
SPDRP_HARDWAREID, ®Type, buffer, BUFFER_SIZE, &size));
// Gather more information about the device
ExtractMoreInfo(deviceClassInfo, deviceData);
++index;
}
Furthermore, the API provides a means of further investigating connected devices. Using CM routines (the API that Setup API is destined to replace) on connected devices, the tools can access information on what device is connected to which port. It can investigate how many disks there are in a storage device (smart memory cards such as U3 may contain two "children"—one will be a read/write disk and the other is reported as a CD-ROM). Such information cannot be retrieved after the Windows session ends.
Another way to gather the information is using the WMI classes (msdn.microsoft.com/library/). WMI is a method of gathering information from the Windows OS. WMI has different classes, each providing information and control on a different aspect of the OS. WMI classes can be accessed locally or remotely.
Using WMI to get the trails of devices previously connected to the computer can be done using PNP-related classes, such as Win32_PnPEntity, or using simple registry classes that give ability to read/write to the registry (StdRegProv). Safend Auditor uses the Setup API and WMI to get the forensics information in as many environments possible.
Another way for remotely gathering this forensics information is using the Remote Registry API. The Windows API functions responsible for reading/writing to the local registry can operate seamlessly on the remote machines, effectively offering a good way to remotely read all desired information.
But all these methods have an inherent flaw—they use inbound communications such as RPC calls to gather information remotely. An alternate method for auditing device forensics in an organization would be to run a local audit in the domain's start-up script. After users log on to the computer (when it is connected to the domain), an application runs and checks all the forensics data from the local computer. Data can then be sent to a central repository.
Conclusion
While we've focused on Windows 2000/XP/2003/ VISTA in this article, similar results may be found in operating systems such as Linux, Mac OS X, and Windows 9X, among others. It is important to note that device forensics has its limitations. There are devices that connect to the computer through USB or other ports, but do not interact with it. Such devices often just utilize the computer as a power source—a USB phone charger, for instance. These devices will not leave traces in the OS because they do not interact with it. Another drawback to device forensics is that data in the registry can be forged: If someone wants to incriminate a user, the registry can be edited and device connection data added.
