usb

This one was a set of registry hives. We were asked to find malicious flash drive details. We created a new VM and renamed a usb key to something unique. Then we plugged it in and logged all writes to the VM registry. This told us what keys windows would store about the drive after it was removed. We found that HKEY_LOCAL_MACHINE\software\Microsoft\Windows Portable Devices\Devices\ contained all the information we needed. We saw the string ‘pr0n33r’ in one of the drives, so we guessed this was the right drive. Gathering all the data from this registry entry, we obtain the key: