Tuesday, January 7, 2014

Daily Blog #198: Let's Talk about MTP Part 3

Hello Reader,
          In the last post in this series we looked at what it looks like if a user attached an Android MTP device to a Windows 7 system. Today let's look at what artifacts are left behind from the directory traversal. On my test system I opened the MTP device, browsed the device, created a directory and copied a file to it.

As you would expect a shellbag entry is made for the directory access, since this is a device it will appear off of the My Computer parent and the shellbag entries will be stored in usrclass.dat. I tried two tools to parse the shellbags and recover the MTP device access, tworks sbag and the shellbags registry module for regripper.

The Tzworks sbag parser has not been updated to handle this resource yet, so a parse of usrclass.dat did not reveal the MTP directory access. The regripper module did find the MTP directory traversal as shown below:

As you can see the device does not have a drive letter, nor is it a network device. Instead the model of the phone (Z992 is the ZTE model for the AT&T Avail 2 I'm testing) is the name of the path from the root of 'My Computer'. From there you can see I traversed down Phone\Android\data and then created a new folder under the root directory Phone and browsed to it.

Also notice that there are no MAC times or MFT file references numbers associated with these entries. MTP is a file transfer protocol not a SMB like file sharing system, explorer is emulating the directory traversal for us so this information is not available through MTP.

Tomorrow let's go through what happens when you copy data to a MTP device and then end on Thursday with accessing data from the MTP device and copying it to the local system.