It’s about time to do some real blogging, item of discussion: MTP and PTP enabled USB devices in Windows.
I’m planning on making this topic a series of posts as it includes a lot of information, but in the end, it will be summarized nicely.
Let me begin by saying that I have been doing research over the past six months, so everything is still a work in progress. Currently, there appears to be a lack of resources available for MTP and PTP devices as it relates to digital forensics and investigations, so I thought it would make a good topic for discussion, input and feedback for the forensic community. Some items that I wanted to address in my research were:
- What are MTP and PTP enabled devices and how do their functionality and interaction with Windows differ from Mass Storage devices (MSC)?
- How are registry keys enumerated when MTP and PTP devices are inserted into a system?
- What artifacts are left behind as a result of different types of user interaction, such as:
- One time or repeated insertions of the device
- Utilizing vendor specific software and drivers to access a device
- Copying files and folders to or from a device
- Opening files directly from a device
- Traversing directories on a device
- How can an investigator determine if data exfiltration has taken place, or if a device of interest has been inserted into the system?
- Are current forensic tools capturing information correctly for MTP and PTP devices?
I will attempt to address each of these in upcoming blog posts, but for the next one, I will cover the basics of MTP (Media Transfer Protocol), PTP (Picture Transfer Protocol) and MSC (Mass Storage Class).