Part 1: USB Device Research

Hello All,

It’s about time to do some real blogging, item of discussion: MTP and PTP enabled USB devices in Windows.

I’m planning on making this topic a series of posts as it includes a lot of information, but in the end, it will be summarized nicely.

Let me begin by saying that I have been doing research over the past six months, so everything is still a work in progress. Currently, there appears to be a lack of resources available for MTP and PTP devices as it relates to digital forensics and investigations, so I thought it would make a good topic for discussion, input and feedback for the forensic community. Some items that I wanted to address in my research were:

  • What are MTP and PTP enabled devices and how do their functionality and interaction with Windows differ from Mass Storage devices (MSC)?
    • How are registry keys enumerated when MTP and PTP devices are inserted into a system?
    • What artifacts are left behind as a result of different types of user interaction, such as:
      • One time or repeated insertions of the device
      • Utilizing vendor specific software and drivers to access a device
      • Copying files and folders to or from a device
      • Opening files directly from a device
      • Traversing directories on a device
  • How can an investigator determine if data exfiltration has taken place, or if a device of interest has been inserted into the system?
  • Are current forensic tools capturing information correctly for MTP and PTP devices?

I will attempt to address each of these in upcoming blog posts, but for the next one, I will cover the basics of MTP (Media Transfer Protocol), PTP (Picture Transfer Protocol) and MSC (Mass Storage Class).

Stay tuned…

Nicole Ibrahim

One Comment

Leave a Reply

Your email address will not be published. Required fields are marked *