User

This process can help in pinpointing the exact user profiles that accessed or utilized the USB device, providing valuable context in investigations involving unauthorized data transfer, malware introduction, or policy violations. The identification is based on tracing the device's Volume GUID from SYSTEM\MountedDevices to user-specific settings in NTUSER.DAT.

Key Identification

Artifact Locations

• Volume GUID Documentation: SYSTEM\MountedDevices

• User-Specific Mount Points: NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2

Critical Information

• The Volume GUID from SYSTEM\MountedDevices uniquely identifies the USB device's volume as seen by the system.

• The MountPoints2 registry key within a user's NTUSER.DAT file records all storage volumes (including USB drives) that have been accessed by that user.

Overview

Correlating USB Devices with User Profiles

The process involves two main steps: documenting the Volume GUID of the USB device and then searching for this GUID within the MountPoints2 registry key of each user profile's NTUSER.DAT file. A match indicates that the user profile was active and logged in when the USB device was connected to the system.

Analyzing The Artifact

1. Document the Volume GUID:

   • Navigate to SYSTEM\MountedDevices and locate the entry for the USB device of interest. Note the Volume GUID associated with the device.

2. Identify User Account Interaction:

   • For each user profile on the system, open the NTUSER.DAT file and locate the Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2 key.

   • Search for the documented Volume GUID within the MountPoints2 key. A match signifies that the user accessed or interacted with the USB device.

Tools for Analysis

• Registry Editor (regedit): For live system analysis, the Registry Editor can be used to manually navigate through the MountedDevices and NTUSER.DAT files.

• Forensic Software: Tools like EnCase or FTK can be used to analyze offline copies of NTUSER.DAT from user profiles, allowing for the examination of MountPoints2 without affecting the live system.

• Custom Scripts: Scripts can automate the search process, especially when analyzing multiple user profiles for the presence of a specific Volume GUID.