Connection Event IDsWhen a USB removable storage device is connected to a Windows 7 system, a number of event records should be generated in the Microsoft-Windows-DriverFrameworks-UserMode/Operational event log. The records include those with Event ID 2003, 2004, 2005, 2010, 2100, 2105, and more. Some of the generated event records contain identifying information about the USB device that was connected. For example, when viewing an event record with Event ID 2003 using the Windows Event Viewer, the event information below is displayed.
|Connection Event Record|
Disconnection Event IDs
When a USB thumb drive is disconnected from a Windows 7 system, a few event records should be generated in the same event log as the connection events. Records with Event ID 2100, 2102, and potentially more may be generated when a USB device is disconnected. Variables such as whether there is another USB removable storage device still connected to the system at the time a USB device is disconnected can dictate which event records are generated and which are not. Some records, however, appear to be more consistent. For example, it appears that an event record with Event ID 2100 and the text "Received a Pnp or Power operation (27, 23) for device <deviceInfo>" is consistently generated when a USB removable storage device is disconnected from a system. In addition, the same event record should contain the device's serial number/Windows unique identifier that can be mapped to a device. An example of some of the information available from a disconnection event record with Event ID 2100 can be seen in the screenshot below.
|Disconnection Event Record|
LifetimeID ValueThe LifetimeID value associated with a USB device's connection session is an interesting piece of information. This GUID value is assigned to a UMDF (User Mode Driver Framework) host when a USB device is connected and should remain the same throughout the connection "lifetime" of the device. In other words, an examiner should be able to match the LifetimeID written to a device's connection event records with the LifetimeID written to the device's disconnection event records in order to tie a particular disconnection event with its associated connection event.
This is simple enough when a single USB device is used, however, when multiple USB devices are used at once, they appear to all use the same UMDF host and are all assigned the same LifetimeID. This means that a LifetimeID value cannot be tied to a single USB device, but it appears that it can be used to correlate device connections and disconnections on a per-session basis.
|LifetimeID from Disconnection Event Record|
In addition to being used to determine the length of a USB device's connection session via the Windows Event Log, the LifetimeID value may play an interesting and useful role in determining the time a USB device was last disconnected from the system, based on the LastWrite time of a registry subkey. I'll forego this discussion for now since this post is focused on event records, but will revisit this topic later.
Automating the process of identifying connection and disconnection event records can really allow the power of utilizing the Windows Event Log in USB analysis to shine. While entirely possible, it would be a tedious process to manually analyze the Windows Event Log for USB connection/disconnection events. Microsoft Log Parser is a great tool for processing the Event Log in this manner. Given that event records associated with a device's connection and disconnection will contain identifying information as well as a timestamp, it's just a matter of isolating the event records associated with connection and disconnection and parsing portions of the strings section of the record. For example, the Log Parser query below returns all event records with Event ID 2003 (connect) or 2100 (disconnect) as long as the device serial number/Windows unique identifier ("1372995DDDCB6185180CDB&0" in this case) is contained in the Strings portion of the event record and, in the case of a disconnection event, the text "27|23" is also in the Strings portion.As with other event logs, event records in the Microsoft-Windows-DriverFrameworks-UserMode/Operational event log eventually roll over, leaving the examiner with a limit on how far back in time he or she can go. However, utilizing VSCs can allow an examiner to squeeze a bit more out of this approach and ultimately build a very telling history of USB device connection and disconnection events.
If you want to clean up the output and add a bit more information, you can use the Log Parser query below (replacing "1372995DDDCB6185180CDB&0" with the USB serial number/Windows unique identifier you're interested in).
As you can see, Log Parser dramatically reduces the leg work involved in analyzing event records for USB connection and disconnection events. Moreover, Log Parser queries can easily be incorporated into a batch script that allows the examiner to input the device serial number he or she is interested in to quickly identify the connection and disconnection events associated with the device. The LifetimeID value can then be used match associated connection and disconnection events.
logparser -i EVT -o datagrid "SELECT EventID, TimeGenerated FROM Microsoft-Windows-DriverFrameworks-UserMode-Operational.evtx WHERE (EventID=2003 AND STRINGS Like '%1372995DDDCB6185180CDB&0%') OR (EventID=2100 AND STRINGS LIKE '%1372995DDDCB6185180CDB&0%27|23%')"
|Output of Log Parser query above|
logparser -i EVT -o datagrid "SELECT CASE EventID WHEN 2003 THEN 'Connect' WHEN 2100 THEN 'Disconnect' END As Event, TimeGenerated as Time, '1372995DDDCB6185180CDB&0' as DeviceIdentifier, EXTRACT_TOKEN(Strings,0,'|') as LifetimeID FROM Microsoft-Windows-DriverFrameworks-UserMode-Operational.evtx WHERE (EventID=2003 AND STRINGS Like '1372995DDDCB6185180CDB&0%') OR (EventID=2100 AND STRINGS LIKE '1372995DDDCB6185180CDB&0%27|23%')"
|Output of Log Parser query above|