1

If one uses a FAT32-formatted USB stick on Windows, Linux, or Android, would there be a way to determine on which computer the USB stick was used by examining the USB stick?

I know OS can log which USB sticks were connected. As far as I know, the log is saved locally to OS, not to the USB sticks.

Also, I know about files metadata which may leak system info. Let's not consider that.

Also, Windows leaves "System Volume Information" folder in the file system. Don't know though could it be used to track down the system or not. Don't know do other OS leave something similar.

So is there any other way OS can leave traces on USB sticks?

It may sound silly, but for example by writing some data to USB stick memory directly to some sectors offset without registering it in a file system.

Or by storing something in the USB stick's controller chip firmware memory.

Or by storing something in the file system metadata.

schroeder
  • 123,438
  • 55
  • 284
  • 319
William
  • 21
  • 3
  • Other questions on the same storage traces topic: https://security.stackexchange.com/questions/257056/which-traces-leave-on-a-flash-card-reader-after-using-it https://security.stackexchange.com/questions/257059/which-traces-leave-on-a-flash-card-after-using-it https://security.stackexchange.com/questions/257060/are-there-differences-on-how-storages-are-formatted-between-different-os https://security.stackexchange.com/questions/257062/could-system-volume-information-be-used-to-find-out-on-which-system-the-storag – William Nov 14 '21 at 09:10
  • On Windows, deleting a file from the USB stick should result in the creation of a Trash folder. Browsing directories that contain images may result in the creation of the Thumbs.db file etc. – Kate Nov 14 '21 at 16:38
  • @Anonymous, Yes, that's also unclear sometimes. – William Nov 14 '21 at 17:24
  • Have found some more info. There are "System Volume Information" files have no official documentation, so may store anything. Some file systems (like EXT) have superblock that contains data like number of previous mounts, last mount point, last mount date ... which can be examined with "dumpe2fs" linux util. But as I understand FAT doesn't have it. Tried to make FAT fs on a SD card from different OS-es, hexdump-ed its contents and found that they differ leaving info of the tools used to make the fs. Plugging the SD card to systems and copying files from it - doesn't leave anything in hexdumps. – William Nov 14 '21 at 17:26
  • I start to think that if there were something systems leave on removable media, then it would be widely known, and spreading at least on anonymously focused resources like tails wiki. But the superblock discovery is a something I haven't seen anywhere before, even though I haven't look for it. – William Nov 14 '21 at 17:28

1 Answers1

1

Both MS Windows and MACs write unique information to mounted media, even if it's only nominally reading the media. Generally Linux does not do this, but there are a lot of Linux variants.

The information on the media alone is insufficient to explicitly map back to a particular computer. However if you have access to a group of candidate computers, they can be examined for a matching entry in the computer to that of the subject media.

user10216038
  • 7,552
  • 2
  • 16
  • 19