Tracing Origin of USB

[Delirious]

Hello there Bombshock.
Heres my present situation.
- We found a USB drive in our car that does not belong to us.
- The USB drive contains ... "indecent" material, in the form of pictures and video.
- The USB drive also contains firefox portable with remaining history.

I would like to find who owns this USB as it contains illegal material and out of curiosity as it is likely I know the person. I have tried viewing the properties of the files to no avail. Can anyone suggest alternative methods of finding information about the owner of the usb? Perhaps some program can scan it for information.

I have read that transmission logs from firefox protable can be used to trace the IP. Is this false information or should it be explored.

[CrazyGoth666]

Look for user name or IP information in the cookies. If they've set the user name on the computer they used, which is more than likely, it will show up many times in the cookie files. But then, you could just format it and get a free flash drive.

If its illegal material, (im guessing kiddy porn), don't drag it to the recycle bin, use the command prompt to delete it. Makes it hard, if not impossible to get back off a flash drive. If I am correct, such information can only be recovered off a hard disk.

[S7@1T3D]

Ask around if anyone has lost a USB in your car or at your place. Think who is likely to have this "information" what is it may i ask because it may help.

Check the firefox for any user handles on websites etc. go to that site find the uer an try to figure it out or type there user handle into google and will find most post by people with that handle.

Sometimes a Handle can be linked back to a person via interests or personal belief/experiences. When some chooses a handle it usually has some sort of value to the name or there is a specific reason they like it.

See i kept mine from my old days playin CS and CS source. Oh an if you think about my name an interests you will see SLAITED says something in my eyes Slate(ther rock).
So its ROCKED, ow wats another word for Rock? Stone = STONEed=Stoned lol

[CrazyGoth666]

True, user names and stuff help. Look for some login in the history that has a saved password. Then look for some kind of my account section and snoop around till you see a name or email account.

CrazyGoth666 = 1: I'm a goth girl. 2: I have a couple mental diseases. 3: I have a 666 to make bible thumping Christians bitchy.

[Delirious]

The history is very limited. There are only about 10 pages listed, most of which are google image searches, two being regular porn websites; and no apparent log-in can be seen. Taking a look at the cookies (options > privacy > show cookies), I can see the cookies URL name and some other useless information, nothing usefull. How can I further analyse the cookies? I can not find them looking through the firefox folders.

I found a text document named kf.txt. It contains a "clientkey" and a "wrappedkey." Both of which say 24, followed by a colon and seemingly randomly generated 24 character alphanumeric code. It looks something like this (i changed the characters):

Code:

clientkey:24:hxaop6m3mcp1mc
wrappedkey:24:kdlo93mlao48ck10plzN

I have already thought long and hard about who might own the USB. Unfortunately, the culprit would not admit to it, considering the USB only contains explicit content.

EDIT:
I have found the cookies at "about:cache?device=memory". I can see the URL of the file, its size, how many x it has been fetched, when it was last modified and when it expires. Clicking into it, it tells me the "security", eg "This document does not have any security info associated with it."

[S7@1T3D]

The below info is from Developer's Guide - Google Safe Browsing API - Google Code .

Quote:

Originally Posted by Google

GetKey Requests (optional)
Description

The getkey request may be used at client startup to create a shared secret key between the client and the server. The secret key is optional and can be used to authenticate list updates. To be secure, the getkey request uses SSL.

This is the url for the getkey request:

https://sb-ssl.google.com/safebrowsi...key?client=api

Server Response

The server responds with key-value pairs, in this format: key:<value length>:value

In this case, the server will respond with a clientkey and wrappedkey. For example:

clientkey:24OAblTUiZFkLSv3xRiXKKQ==
wrappedkey:24:MTqdJvrixHRGAyfebvaQWYda

The client key is a 16-byte, base-64 encoded random nonce, generated by the server when receiving the GetKey request. The wrapped key is the random nonce encrypted by a server key. The wrappedkey is opaque to the client and a server may implement any encryption algorithm it sees fit. The wrappedkey allows the server to reconstruct the client key without requiring per-client state. It is up to the server to include verification information into the wrapped key that might allow it to determine if decrypting it was successful. If the server key changes, the server can prepend pleaserekey to responses to tell the client to request a new client key.

The GetKey request should only be called once per client, as well as once per pleaserekey response.

*maybe if you casually drop something along the lines of someone lost their USB in my car but havnt checked it out case its private/rude(LMFAO) or you seriously worried about Virii infecting your computer etc.

[CrazyGoth666]

Hmmm.... depending on what kind of friends you have, and if they'd have access to high security files and such, there could be files hidden inside the image files. They'd look like any old picture, but when opened with winrar, can reveal a secret hidden file or document. All you have to do is open winrar, and change the picture's file name to a .rar extension. You could try it on this picture, I put something hidden in it:



Besides, I knew you'd love to see more anime!

[S7@1T3D]

Hmmm interesting, What allows that to happend?

[CrazyGoth666]

to make one all you have to do is have an image file and a document inside a .rar archive and use the copy command in the command prompt to make it:

Code:

COPY /B image.jpg + file.rar newimage.jpg

there's also a program called camouflage that does that automatically.

Camouflage Home Page - Hide your files!

[Delirious]

There is alot of clutter on the usb. Many episodes of Criminal Minds, NCIS and CSI have lead me to believe this would not meet the pofile of someone with "access to high security files."

It's a nice little trick hiding files inside an image. Think theyd notice if I hid say 800mb in a thumbnail gif?

[S7@1T3D]

Use paranoids Key logger tut and put it on the port. firefox and see if you can find the owner and than u will get alot of there info.

[CrazyGoth666]

I think almost anyone would notice an 800MB file. Not much you can do with a file that size, except stick it on a SD card and transport it that way. I have a little SD card full of shit I don't want found.

[Delirious]

Quote:

I think almost anyone would notice an 800MB file. Not much you can do with a file that size

It was a joke.

Quote:

Use paranoids Key logger tut

The Keylogger download contains a surprise. Coincidently, it says "If you have any antivirus turn it off." This would make it a little too convenient for someone to place a keylogger/virus in the download now, wouldnt it? Random made some good points in that thread. While I understand the file may not be infected, I recognise the risk associated with involving myself with such files.

As far as my current situation, nothing has changed. Any ideas?

[S7@1T3D]

it only found the file when you were using it but otherwise it picks it up at random with the R-T scan.

[CrazyGoth666]

*sigh* well you cant tell jokes as easy on the internet.

There's an off chance you could recover files off the memory. I;m not sure that this will work on flash memory, but just look for NT file recovery software.