Merge pull request #12 from EricZimmerman/master

update repo

Author: AndrewRathbun

evtx/Maps/Microsoft-Windows-DeviceSetupManager-Admin_Microsoft-Windows-DeviceSetupManager_112.map

@@ -28,6 +28,7 @@ Maps:
 
 # Documentation:
 # https://cyberforensicator.com/wp-content/uploads/2017/09/USB-Storage-Device-Forensics-for-Windows-10.pdf
+# https://forensixchange.com/posts/19_08_03_usb_storage_forensics_1/
 #
 # Example Event Data:
 # <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">

evtx/Maps/Microsoft-Windows-DriverFrameworks-UserMode_Operational_2100.map evtx/Maps/Microsoft-Windows-DriverFrameworks-UserMode-Operational_Microsoft-Windows-DriverFrameworks-UserMode_2100.map

@@ -22,6 +22,7 @@ Maps:
 # Documentation:
 # https://nxlog.co/documentation/nxlog-user-guide/windows-usb-auditing.html
 # https://www.reddit.com/r/sysadmin/comments/4dr2t2/security_guy_wants_to_log_usb_storage_devices_on/
+# https://forensixchange.com/posts/19_08_03_usb_storage_forensics_1/
 # Windows Vista, 7 : enable (default)
 # Windows 8~ : disable (default)
 #

evtx/Maps/Microsoft-Windows-Ntfs-Operational_Microsoft-Windows-Ntfs_146.map

@@ -73,6 +73,7 @@ Lookups:
 
 # Documentation:
 # https://docs.microsoft.com/en-us/previous-versions/windows/desktop/stormgmt/msft-physicaldisk (BusType)
+# https://forensixchange.com/posts/19_08_03_usb_storage_forensics_1/
 #
 # Example Event Data:
 # <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">

evtx/Maps/Microsoft-Windows-Partition-Diagnostic_Microsoft-Windows-Partition_1006.map

@@ -52,6 +52,7 @@ Maps:
 # https://df-stream.com/2018/05/partition-diagnostic-event-log-and-usb-device-tracking-p1/
 # https://df-stream.com/2018/07/partition-diagnostic-event-log-and-usb-device-tracking-p2/
 # https://forensixchange.com/posts/19_08_03_usb_storage_forensics_1/
+# https://docs.microsoft.com/en-us/previous-versions/windows/desktop/stormgmt/msft-physicaldisk (BusType)
 # Frankly, there is too much data to fit within 6 PayloadData columns. As always, all data is in the Payload column but there isn't enough room to map out all the information cleanly.
 # 
 # Example Event Data:

evtx/Maps/Microsoft-Windows-Storage-Storport-Operational_Microsoft-Windows-StorPort_504.map

@@ -27,13 +27,6 @@ Maps:
         Value: "/Event/EventData/Data[@Name=\"SerialNumber\"]"
   -
     Property: PayloadData4
-    PropertyValue: "BootDevice: %BootDevice%"
-    Values:
-      -
-        Name: BootDevice
-        Value: "/Event/EventData/Data[@Name=\"BootDevice\"]"
-  -
-    Property: PayloadData5
     PropertyValue: "BusType: %BusType%"
     Values:
       -

evtx/Maps/Microsoft-Windows-StorageSpaces-Driver-Operational_Microsoft-Windows-StorageSpaces-Driver_207.map

@@ -0,0 +1,58 @@
+Author: Hyun Yi @hyuunnn
+Description: USB Connection
+EventId: 207
+Channel: "Microsoft-Windows-StorageSpaces-Driver/Operational"
+Provider: "Microsoft-Windows-StorageSpaces-Driver"
+Maps:
+  -
+    Property: PayloadData1
+    PropertyValue: "DriveManufacturer: %DriveManufacturer%"
+    Values:
+      -
+        Name: DriveManufacturer
+        Value: "/Event/EventData/Data[@Name=\"DriveManufacturer\"]"
+  -
+    Property: PayloadData2
+    PropertyValue: "DriveModel: %DriveModel%"
+    Values:
+      -
+        Name: DriveModel
+        Value: "/Event/EventData/Data[@Name=\"DriveModel\"]"
+  -
+    Property: PayloadData3
+    PropertyValue: "DriveSerial: %DriveSerial%"
+    Values:
+      -
+        Name: DriveSerial
+        Value: "/Event/EventData/Data[@Name=\"DriveSerial\"]"
+
+# Documentation:
+# N/A
+#
+# Example Event Data:
+# <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
+#   <System>
+#     <Provider Name="Microsoft-Windows-StorageSpaces-Driver" Guid="{GUID}" /> 
+#     <EventID>207</EventID> 
+#     <Version>0</Version> 
+#     <Level>4</Level> 
+#     <Task>0</Task> 
+#     <Opcode>0</Opcode> 
+#     <Keywords>0x8000000000000000</Keywords> 
+#     <TimeCreated SystemTime="2020-12-30T03:22:01.1630740Z" /> 
+#     <EventRecordID>21036</EventRecordID> 
+#     <Correlation /> 
+#     <Execution ProcessID="4" ThreadID="232" /> 
+#     <Channel>Microsoft-Windows-StorageSpaces-Driver/Operational</Channel> 
+#     <Computer>ComputerName</Computer> 
+#     <Security UserID="{UserID}" /> 
+#   </System>
+#   <EventData>
+#     <Data Name="DriveId">{a0d9d718-f9a2-319a-d91a-87f51e15fb49}</Data> 
+#     <Data Name="PoolId">{00000000-0000-0000-0000-000000000000}</Data> 
+#     <Data Name="DeviceNumber">1</Data> 
+#     <Data Name="DriveManufacturer">WD</Data> 
+#     <Data Name="DriveModel">My Passport 25E2</Data> 
+#     <Data Name="DriveSerial">WX41D69CD7D1</Data> 
+#   </EventData>
+# </Event>

evtx/Maps/Microsoft-Windows-Storsvc-Diagnostic_Microsoft-Windows-Storsvc_1001.map

@@ -0,0 +1,110 @@
+Author: Hyun Yi @hyuunnn
+Description: USB Connection
+EventId: 1001
+Channel: "Microsoft-Windows-Storsvc/Diagnostic"
+Provider: "Microsoft-Windows-Storsvc"
+Maps:
+  -
+    Property: PayloadData1
+    PropertyValue: "VendorId: %VendorId%"
+    Values:
+      -
+        Name: VendorId
+        Value: "/Event/EventData/Data[@Name=\"VendorId\"]"
+  -
+    Property: PayloadData2
+    PropertyValue: "ProductId: %ProductId%"
+    Values:
+      -
+        Name: ProductId
+        Value: "/Event/EventData/Data[@Name=\"ProductId\"]"
+  -
+    Property: PayloadData3
+    PropertyValue: "SerialNumber: %SerialNumber%"
+    Values:
+      -
+        Name: SerialNumber
+        Value: "/Event/EventData/Data[@Name=\"SerialNumber\"]"
+  -
+    Property: PayloadData4
+    PropertyValue: "Size: %Size% Bytes"
+    Values:
+      -
+        Name: Size
+        Value: "/Event/EventData/Data[@Name=\"Size\"]"
+  -
+    Property: PayloadData5
+    PropertyValue: "FileSystem: %FileSystem%"
+    Values:
+      -
+        Name: FileSystem
+        Value: "/Event/EventData/Data[@Name=\"FileSystem\"]"
+  -
+    Property: PayloadData6
+    PropertyValue: "BusType: %BusType%"
+    Values:
+      -
+        Name: BusType
+        Value: "/Event/EventData/Data[@Name=\"BusType\"]"
+Lookups: 
+  -
+    Name: BusType
+    Default: Unknown code
+    Values:
+        0: The bus type is unknown.
+        1: SCSI
+        2: ATAPI
+        3: ATA
+        4: IEEE 1394
+        5: SSA
+        6: Fibre Channel
+        7: USB
+        8: RAID
+        9: iSCSI
+        10: Serial Attached SCSI (SAS)
+        11: Serial ATA (SATA)
+        12: Secure Digital (SD)
+        13: Multimedia Card (MMC)
+        14: This value is reserved for system use.
+        15: File-Backed Virtual
+        16: Storage Spaces
+        17: NVMe
+        18: This value is reserved for system use.
+
+# Documentation:
+# https://forensixchange.com/posts/19_08_03_usb_storage_forensics_1/
+#
+# Example Event Data:
+# <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
+#   <System>
+#     <Provider Name="Microsoft-Windows-Storsvc" Guid="{GUID}" /> 
+#     <EventID>1001</EventID> 
+#     <Version>0</Version> 
+#     <Level>4</Level> 
+#     <Task>0</Task> 
+#     <Opcode>0</Opcode> 
+#     <Keywords>0x8000000000000000</Keywords> 
+#     <TimeCreated SystemTime="2020-12-08T01:03:35.5243959Z" /> 
+#     <EventRecordID>220</EventRecordID> 
+#     <Correlation ActivityID="{ActivityID}" /> 
+#     <Execution ProcessID="7796" ThreadID="12988" /> 
+#     <Channel>Microsoft-Windows-Storsvc/Diagnostic</Channel> 
+#     <Computer>ComputerName</Computer> 
+#     <Security UserID="{UserID}" /> 
+#   </System>
+#   <EventData>
+#     <Data Name="Version">2</Data> 
+#     <Data Name="DiskNumber">1</Data> 
+#     <Data Name="VendorId">WD</Data> 
+#     <Data Name="ProductId">My Passport 25E2</Data> 
+#     <Data Name="ProductRevision">4005</Data> 
+#     <Data Name="SerialNumber">WX41D69CD7D1</Data> 
+#     <Data Name="ParentId">USB\VID_1058&PID_25E2\575834314436394344374431</Data> 
+#     <Data Name="FileSystem">NTFS</Data> 
+#     <Data Name="BusType">7</Data> 
+#     <Data Name="PartitionStyle">1</Data> 
+#     <Data Name="VolumeCount">1</Data> 
+#     <Data Name="ContainsRawVolumes">false</Data> 
+#     <Data Name="Size">4000752599040</Data> 
+#   </EventData>
+# </Event>