In the previous post of this series, I talked about the objectives and reasoning for approaching this angle of USB device research. Today I will be going over the three major USB transfer protocols. Emphasis will be placed on the following:
- Basic information about each
- Windows versions they are supported in
- Windows services that support them
- Basic Windows enumeration information
- Relevance of each from a forensics standpoint
USB Mass Storage Class
Most of the forensic research and information for inserted USB devices has focused on MSC devices. Classic examples of these devices include: external drives, thumb/flash drives, and MP3 players. Within Windows, MSC devices are supported in Windows 2000 and onward.
MSC is a transfer protocol that allows mounting of a device’s storage area as removable media, and provides direct access to sectors of data for reading and writing. Mounting of these devices occurs at the physical level, where if one were to open a mounted partition with a hex editor, all areas of the filesystem are available for view.
For MSC devices with embedded operating systems such as cameras, smart phones, tablets and MP3 players, the storage area or partition must first be unmounted from within the device’s OS before it can be enumerated or mounted in Windows.
An MSC device mounted in Windows XP appears in Windows Explorer under “Devices with Removable Storage”, and is assigned the next available drive letter.
With Android phones, before the release of Ice Cream Sandwich (Android 4.0), phones were more likely to use MSC as their transport protocol. With Ice Cream Sandwich and later, MTP (Media Transport Protocol) has become the standard transfer protocol used.
For Apple devices, the only device that natively supports MSC mode is the iPod. When connected to a computer running Windows XP, the device gets mounted in Windows Explorer under “Devices with Removable Storage” and is assigned a drive letter, just like an external drive. It is then fully accessible for the user to copy files to and from the device. The iPhone and iPad, however, does not natively support this feature. Although third-party software is available to enable MSC access, I have not tested it.
Blackberry devices also natively support MSC mode; although, the option may be disabled by default but can be enabled from within the device itself. From personal testing, Windows sometimes has problems recognizing Blackberry devices. This results in either the device not being mounted correctly in Windows, or it being mounted as a PTP (Picture Transfer Protocol) device. In either case, transferring data to the device will likely not be supported–something to keep in mind if you are investigating a case where a Blackberry was attached to a system. The setupapi.log in Windows XP, or setupapi.dev.log in Windows 7 will give clues as to whether or not the device and associated drivers were successfully recognized and installed.
The reasons for failed installs of Blackberry or similar devices is usually the result of vendor specific drivers not present on the system. When this is the case, Windows assigns a generic parent driver to the device. I will cover the details of why and how this occurs in a later post.
- Wikipedia: Mass Storage Class
- Microsoft: Removable and USB Storage Devices
- USB.org: USB MSC Overview
Picture Transfer Protocol
PTP is a widely supported protocol standardized by the International Imaging Industry Association. It allows the transfer of images and videos from PTP enabled devices to computers without the need for third-party drivers. Within Windows, PTP is supported in ME and onward. Since PTP only deals with images, videos, and their associated metadata, it does not provide support for transferring other file types such as word documents, zip, and so on. It’s important to note that PTP allows only a unidirectional transfer of files, where users can download or copy files from the device to the computer or other peripheral, but does not support uploading or copying files to the device.
Mounting of these devices in Windows occurs at a logical level, so it is not possible to see the underlying filesystem structure for these devices.
For Windows XP and earlier, WIA (Windows Image Acquisition) device manager handles functions related to PTP devices. When a USB device is attached to a computer and is classified as PTP, it becomes enumerated by WIA Device Manager, where it then appears in Windows Explorer under “Scanners and Cameras”.
In Windows Vista and later, WPD (Windows Portable Devices) is used in place of WIA. Here, when a PTP device is recognized it becomes enumerated and appears under “Portable Devices” in Windows Explorer.
Many types of devices support PTP. It is also used by some as a fallback protocol in instances where MTP is not supported. Devices that might support this protocol include: scanners, cameras, and sometimes, smart phones and tablets.
From a forensic standpoint, evidence of a PTP device inserted on a system is of little value to a forensic examiner who is trying to determine if data exfiltration has occurred using that device. However, it may be useful in cases where determining the origin of images found on a computer is important.
- USB.org USB Still Image Capture Device
- Microsoft: Still Image Connectivity for Windows (Windows XP and earlier)
- Microsoft: Guidelines for Picture and Video Import in Windows 7
Media Transfer Protocol
MTP was introduced by Microsoft and is an improvement over PTP partly in that it supports a variety of file types. This protocol emphasizes the importance of metadata associated with media files, just like PTP does with images, and is sometimes used by device vendors as a way to implement DRM. MTP is somewhat of a misnomer as it not limited to only media files–any type of file can be transferred to and from MTP enabled devices.
With MSC, when a USB device’s partition is mounted in Windows, it must first be unmounted from within the MSC device. However, with MTP, read and write access to partitions can be shared between the computer and the device. Many devices such as MP3 players, cameras, smart phones, and tablets can be MTP enabled.
Like PTP, mounting occurs at a logical level, so it is not possible to see the underlying filesystem structure.
Within Windows, these types of devices are handled by WDP (Windows Portable Devices)—Supported in Windows XP with Media Player 10 and later versions of Windows.
In Windows XP, when an MTP device is attached to a computer, it becomes enumerated by WPD and appears under “Other” in Windows Explorer.
In Windows 7, an enumerated MTP device appears under “Portable Devices” in Windows Explorer.
To view each partition for the device, double-clicking on the device icon will display all mounted partitions.
From a forensics point of view, MTP devices can serve as data exfiltration points and should be evaluated if there is evidence that this type of device was inserted. However, not all current forensics tools can parse information related to these devices correctly, so it is important for an examiner to be knowledgeable about what registry entries and other OS artifacts are generated by these devices.
- USB.org: Media Transfer Protocol
- Microsoft: Introduction to MTP
- Microsoft: Portable Media Players for Windows Vista
In the next post of this series, we will delve into more information about how registry entry enumeration differs for PTP and MTP devices compared to MSC.