Hak5 isn't your ordinary tech show. It's hacking in the old-school sense, covering everything from network security, open source and forensics, to DIY modding and the homebrew scene. Damn the warranties, it's time to Trust your Technolust. In this episode, see how to track a USB device.
In this episode Peter Giannoulis joins us from TheAcademyPro.com. Chris Gerling is back in studio talking about USB Device Tracking. And Matt is building the new HakHouse firewall/router with PFsense. Plus a ton of haksnax to get your grub on.
USB Device Tracking
If you've ever used a USB storage device and wondered how stealthy you can be with them, you're in for a scare. Windows XP logs pretty much everything you'd want to know about that USB key in the registry each time it's plugged in and written to.
When you plug in your USB drive, the Plug and Play manager gets notified and queries the device descriptor in the firmware for information about the device. This helps it locate a driver, which is referenced in the %SystemRoot%/inf folder by various .inf files. Once the device is identified and a driver selected, the information is dropped into HKEY_LOCAL_MACHINESystemCurrentControlSetEnumUSBSTOR with a format similar to Disk&Ven_###&Prod_###&Rev_### which will identify the device ID, manufacturer and more. An important number you will find here is the ParentID prefix, which I did not actually say during the segment but this is something that will appear in virtually every registry entry regarding the device.
Microsoft uses serial numbers on the devices to distinguish between devices with the same manufacturer or model. In the case that the serial number is not unique (or even not present), the PnP manager will create a unique instance ID for the device.
Search Hak5 on WonderHowTo for more tech episodes from this Revision3 show.