Plug-and-Play Forensics
Plug-and-Play (PNP) is the part of Windows responsible for managing device drivers. One of PNP's central functions is to find appropriate drivers for connected devices. To do this, when a device is connected to the computer, PNP queries its port driver for the IDs of newly connected devices; see Table 2. Using this information, PNP can determine if this is the first time it has encountered a particular device. Searching the connected device's Device Instance ID in a database of previously connected devices does this. If the device is found, the computer utilizes the driver that was previously assigned to that particular device.
If such a record is not found, PNP searches all known .INF files for drivers that handle the particular Hardware ID or Compatible ID of the device. Once it finds a proper .INF file, PNP loads the driver and writes the particular device's information into the database. If PNP cannot find the device's IDs in any of its .INF files, it queries users with the "Add new hardware" wizard.
Our interest here is in the database of previously connected devices. This database contains the information of all the devices ever connected to the computer—their Hardware IDs, Compatible IDs, Device Instance ID, associated drivers, and the Windows class they belong to. (This is the class you see in the device manager—display adapters, disk drives, and the like.) Moreover, some devices provide a readable description of their identity; for instance, "Nokia Connectivity Cable DKU-5" for a cable connecting some Nokia cell phones via the USB.
An interesting piece of information might be which port in the computer the device was connected to. Was it at the front of the computer or the back? Was there another hub in the middle? Answers to these questions might be available in some devices. Interestingly enough, the devices that stand out and can be tracked are those without unique IDs. In the case of USB, when Windows is trying to create a unique identifier for the particular device, it asks the device if it has a serial number. If the device has a serial number, the serial number (together with the Hardware ID) creates the Device Instance ID. If the serial number is absent, Windows creates the Instance ID from the exact location where the device was connected.
By default, this database is readable by all of the computer's users. It is stored in the registry, with some Windows API functions giving specific access to this database.
The PNP mechanism we've just described received a slight upgrade in Windows Vista. For instance, domain administrators can set a policy using the GPO, stating which devices can't be installed even by local administrators of the station. The purpose of this mechanism is to give security officers control over what devices are connected to an organization's computers.
The problem with Vista's approach is that a device can be freely used once it has been installed. If an organization's policy prohibits use of a specific device, that device can still be used if it was previously connected and installed. Thus, information regarding historically connected devices on a machine running Windows Vista can be exploited by adversaries to connect prohibited devices. All they need is to find a device that was previously installed on the computer, and then use it. For example, if intruders want to use a specific printer, they might see that it was previously installed and know that they need to connect this specific printer to the computer for it to work.
