Episode 425 — USB Device Tracking and PFsense

In this episode Peter Giannoulis joins us from TheAcademyPro.com. Chris Gerling is back in studio talking about USB Device Tracking. And Matt is building the new HakHouse firewall/router with PFsense. Plus a ton of haksnax to get your grub on.

Download HD Download MP4 Download XviD Download WMV

Show Notes

USB Device Tracking

If you’ve ever used a USB storage device and wondered how stealthy you can be with them, you’re in for a scare. Windows XP logs pretty much everything you’d want to know about that USB key in the registry each time it’s plugged in and written to.

When you plug in your USB drive, the Plug and Play manager gets notified and queries the device descriptor in the firmware for information about the device. This helps it locate a driver, which is referenced in the %SystemRoot%/inf folder by various .inf files. Once the device is identified and a driver selected, the information is dropped into HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\USBSTOR with a format similar to Disk&Ven_###&Prod_###&Rev_### which will identify the device ID, manufacturer and more. An important number you will find here is the ParentID prefix, which I did not actually say during the segment but this is something that will appear in virtually every registry entry regarding the device.

Microsoft uses serial numbers on the devices to distinguish between devices with the same manufacturer or model. In the case that the serial number is not unique (or even not present), the PnP manager will create a unique instance ID for the device.

All of the numbers you find related to each device should be logged if you’re doing any sort of investigation or trying to track a device across computers.

If you’re trying to determine whether data was perhaps pilfered from your machine/network, you will want to look at HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\DeviceClasses, where you will find the ParentID prefix and will be able to correlate to the device. You should also see the manufacturer name here. We are looking for the Last Write time which will help in determining whether data was pilfered by giving you a timeframe as to when someone last copied data to the device. In order to do this, you’re going to right click on the entry that has the ParentID prefix and manufacturer name for the device you want, and then click Export. Change the file extension to .txt and name it anything you want, remembering where you save the file. Upon opening this file up, you will find the last write time.

There are many applications for this data, and you’ll probably never be in the registry doing it quite this way, as there are many tools, both commercial and free that will simplify all of this. This data is also used in tools/services which help track your devices, such as iHound (ihoundsoftware.com), which helps you track devices if they’re stolen.

If you have any questions feel free to contact me here and visit my website. Many thanks to Harlan Carvey, author of the 2007 book Windows Forensic Analysis (I think I might’ve errantly said 2005, sorry) for without this book I wouldn’t have known as much as I do about the windows registry.

Chris Gerling Jr.


While our smoothwall is and has been working well for us for the past two years, I recently had the need for something a little more robust.

I came across a fork of the monowall project, pfSense is a free, open source customized distribution of FreeBSD tailored for use as a firewall and router. In addition to being a powerful, flexible firewalling and routing platform, it includes a long list of related features and a package system allowing further expandability without adding bloat and potential security vulnerabilities to the base distribution.

Here’s a short summary of some of the eye catching features.

  • Filtering by source and destination IP, IP protocol, source and destination port for TCP and UDP traffic
  • Able to limit simultaneous connections on a per-rule basis
  • pfSense utilizes p0f, an advanced passive OS/network fingerprinting utility to allow you to filter by the Operating System initiating the connection. Want to allow FreeBSD and Linux machines to the Internet, but block Windows machines? pfSense can do so (amongst many other possibilities) by passively detecting the Operating System in use.
  • Option to log or not log traffic matching each rule.
  • Highly flexible policy routing possible by selecting gateway on a per-rule basis (for load balancing, failover, multiple WAN, etc.)
  • Aliases allow grouping and naming of IPs, networks and ports. This helps keep your firewall ruleset clean and easy to understand, especially in environments with multiple public IPs and numerous servers.
  • Transparent layer 2 firewalling capable – can bridge interfaces and filter traffic between them, even allowing for an IP-less firewall (though you probably want an IP for management purposes).
  • Packet normalization – Description from the pf scrub documentation – “‘Scrubbing’ is the normalization of packets so there are no ambiguities in interpretation by the ultimate destination of the packet. The scrub directive also reassembles fragmented packets, protecting some operating systems from some forms of attack, and drops TCP packets that have invalid flag combinations.”
  • Enabled in pfSense by default
  • Can disable if necessary. This option causes problems for some NFS implementations, but is safe and should be left enabled on most installations.
  • Disable filter – you can turn off the firewall filter entirely if you wish to turn pfSense into a pure router.
  • pfSense offers three options for VPN connectivity, IPsec, OpenVPN, and PPTP.

There’s a ton of other great features that you can read up on at http://is.gd/iauk

The LiveCD ISO is available from http://www.pfsense.org/mirror.php?section=downloads and for VMware folks, a prebuilt VM is available at http://files.pfsense.org/vmware/pfSense-1.2.2-VM.zip

Matt Lestock

LAN Party

This month, we are playing Left4Dead and Zombie Panic! Join us for our LAN Party on Saturday, February 28th at L4D.hak5.wpengine.com or ZP.hak5.wpengine.com for a good ol’ zombie apocalypse.


Last week’s trivia was: “In PHP, which is faster and why? echo”Hello World”; or print(“Hello World”);?” Zoltan answered right with: “Echo is faster because it doesn’t set a return value and ‘print’ is a more complex function.” Zoltan wins a copy of Pronobozo’s CD ‘Zero=One=Everything’. You can check out more of Pronobozo’s music at his website.

If you want to win this week’s giveaway, enter the letters you see popping up during the episode into our trivia page and answer the trivia question in the first 24 hours from when this episode releases. We will choose a random winner out of the correct answers!


Remember to subscribe to our new HD feed on iTunes at Hak5.org.


Have a segment suggestion, constructive feedback, or a snack idea for Kerby? Email your ideas to [email protected]. Thank you!


Don’t forget! We’ve got brand new sticker packs as thanks for your donations at Hak5.org/stickers. Without your help, we wouldn’t be HD right now.


We will be at Shmoocon this weekend, February 6-8 in Washington DC. If you are in the area, join us for the annual podcaster’s meetup. Meet our cast and crew as well as lots of other great podcasters from PaulDotCom, Securabit, Sploitcast, Cyber Speak, Security Justice, and more! Get the info at Podcaster’s Meetup.com.


We’re conducting a survey to get some additional information about our viewer. We would love your feedback. If you have a few minutes to spare, please do us a favor and take the survey at the survey page.

For those of you who complete the survey, you will be treated to a sneak peek at a new show that Revision3 has been working on and get a back stage look at the pre-production of a Hak5 episode.

Trust your Technolust!


  • Will

    There was no place in the survey to discuss the show. I don’t like the new format. I miss Wess and Alli. I don’t particularly care for the grey-hat tilt that has developed over the last season, and there’s too many episodes now.

    I don’t think I’ve watched a whole episode all season. I can’t even be bothered to download them anymore.

  • Gh0st

    I personally liked season one through three the most so far because of the good dynamic and chemistry between Wess, Harrison, and Darren. That’s not to say the new version of the show is bad but its just too much like the screen savers and not quite like the original episodes which had a great underground feel to them.

  • Danny

    I can understand what a lot of people are saying.
    i still believe that,although you can’t please all,the majority of the people
    that watch all of your shows,are people interested in tech related subjects

    for example,the php tamagotchi was a delight,something really techie again!
    Easy,but techie!

    You guys should be able to see in your flash players that a lot of people
    simply skip segments,i personally (no offense) skip all the snubs parts.

    Guys,give us more tech! Teh awesomeness!

  • Danny P

    Well after gettin my weekly hit of technolust im satisfied hahaha.

    But seriously i came across HAK5 on youtube and since then its become quite an addiction i tried to seek help but there is no cure *Now to me thats a bonus ;)*

    But to be honest its not just the quality of the show that makes it good, the HAK Crew are a great bunch and tie that in with the fantastic segments and well written show notes, well what can i say its probably the best IT related show i have ever watched.

    Guys keep up the good work you do an amazin job LOVE IT!!!!!!


  • Darren

    The show evolves, the cast changes and season past will never be the same as season present. However chemistry develops, technology is dissected and laughs are had. The core of Hak5 is technolust and that remains throughout.

    When presented with a situation of disband or press forward I’ll always beat the drum. This show is blessed with an enthused crew and a loyal and honest fan base.

    We won’t please everyone all the time but as long as we put our passion in the show we’ll be happy with what we create and ultimately that’s what matters to me.

    As always thank you for your continued feedback. Tell all your friends about Hak5 and stick around for ever enriched technolust.

  • jordan hanes

    gotta agree with most ppl here, i think the eps are too long, and 2nd and 3rd season was 10x better.

    also have to agree with the guy above, i skip the segments with snubs in them, shes not natural, and doesnt seem to know much about the stuff.

    i rahter just see darren and chris, and wes, just doing their stuff, underground, you know?

  • Joey Pesci

    Was glad to see a segment on pfSense as was gonna try it out as currently using Endian but not sure it’s doing what I want it to do. One thing Endian has pfSense doesn’t seem to is Endian using HTTPS for it’s login which pfSense doesn’t seem to. However, the segment was too short. You say you’ll be back with more indepth on it, but I’ve heard that said before that never happens (or I just missed the episodes with the follow ons).

    But please, please, please, for the love of god, replace your table :o) it’s slight rocking is beginning to be a bit annoying. Get one that’s stronger and doesn’t move when you guys lean on it. I wait for the day it actually ends up tipping over :o)

  • Matt Lestock

    Speaking towards the length of the episode, looking back the average episode length of season 2 and season 3 was approx 50 – 55 minutes.

    Season 4 episodes are around 30 – 35 minutes

    Regarding the lack of underground feel, while we understand we can’t be everything to everyone, I would argue that there’s a whole lot more technolust to go around being that we’re weekly, and we can give an overview of something on one episode, and dive deeper in the next. While we haven’t done this yet because of all of our conference coverage, this is something we’re actively looking at.

    And as Darren said, so long as we convey our interest and passion in what we’re doing, I think that goes much further than trying to make what you see feel ‘underground’

  • Darren

    Dude, what we’re doing *IS* underground. If you wanna see mainstream get off the Internet and turn on a television at 9 o’clock.

    A bunch of friends geeking out about what matters to them in front of a few cheap cameras in their retrofitted living room with a hack-job HD mixer for 100 thousand like minded nerds on the Internet is far, far, FAR from mainstream.

    These are the golden days of Internet television. Soak it up!

    PS: February 18th marks the beginning of Hak5 Season 5. Check it out at http://is.gd/ixmY

  • CaFe

    Am I the only one who thinks the episodes should be longer? Most complaints seem to be about to long episodes and about non interesting segments.

    If the episodes were longer, you could fit in more segments, and the viewers could easily skip the ones not interesting to them.

    Appreciate the effort put into the show, it only gets better and better.

  • Mnemonic

    Hey …is it possible not to have the embedded episode “autoplay” when it loads on your site??
    Gets kinda annoying after a while.

  • DrM

    I agree, I think the episodes are a bit short. But it’s ok where it is. Definitely don’t make it much shorter. Maybe the Squarespace propaganda is a bit long in the tooth already. 🙂 If you want short, you can go find those crappy 1:45 exploit vids on YouTube. I look forward to the show improving; I’m optimistic. As far as Shannon’s bits, I think they’re fine. As far as Matt’s segment, I’m ambivalent. I don’t want to pick on Matt, that’s childish. Some people might like this PFsense segment. Personally, it’s kind of “yet another firewall configuration.” I think walk-throughs are great but this is pretty basic and not really much different from configuring any other firewall. But some people might like it. Also, did I hear a censor beep?

  • anonymous coward

    What’s the deal with the ending credit clip? Not that it surprises me; Matt, I hate to pick on a member of hak5, but why does it always seem like you’re trying to run the show? I could have sworn a little while back that you were only on the show because you were assisting in funding behind the scenes; it just seemed like you kept trying to use financial comments to end arguments – almost as if they were threats. And now this little blow-up at Darren wrapping the show?
    Don’t get me wrong: I still enjoy your segments and your adding a slice of “enterprise” to the mix; it allows me to suggest Hak5 to people at work. But what drew me to this show in the first season (and kept me with it) is “one for all”, not “all for one”. I have no idea about the politics that go on behind the scenes and I’m most likely misguided in this drunken rant, but there’s still something that just feels wrong with the dynamic as of late.

    As for Shannon: I think you’re doing a great job, and getting better with every segment as you get more confident and comfortable. I think a few commenting viewers forget that some of the other cast members have had 3 additional seasons to get acquainted with the camera. Keep it up =)

  • Matt

    For those of you that didn’t know, the end credit scene was completely staged and fake. We had no idea that people weren’t going to get the joke, we’ll have to think a little bit more about how we approach some of our skits and such.

    As far as the show being about me, I’m not really sure where you got that idea from, but this has and will always be a team effort. While it’s true we’re a little burned out, it’s not because there’s infighting, between the conferences, some changes in production, real-life, and a host of other things, we like everyone else gets a little run down. But after shmoocon, we’re pretty much finished with conferences until August, so that coupled with the new production equipment will make it so that we’ll have the time to develop great new content. Previously it used to take us 2 hours to setup, another 3 to shoot the show and another hour and a half to take down. With some recent refinements in our equipment usage, and preplanning, we’re down to about 30 minutes for setup, and 1.5 hours to shoot the show with about 20 minutes to take down. The simple fact that we no longer have to worry about sound, video, etc is a huge load off our shoulders.

    Some have commented that they wish the show looked and felt more underground, while we can understand the human nature of resisting change, this is something that needed to happen. Without the advances in things like the set, the technology behind the show, and production processes improvements, it’s unlikely the show would still be going today.

    The fact of the matter is, we love putting the work in to developing new content, and showcasing some of the things that we enjoy on a daily basis. While yes, pfSense is another firewall, how many people saw that segment and looked at their blue linksys router, and then at their old 400mhz Pentium II and got to work on installing pfSense on it and replacing it with the pfSense box? It’s this spark of curiosity and creativity that we hope to provide to people.

    While a particular segment may not apply to you, can we really create a customized show for each of you? Of course not. Would we like to if we could? Sure, but we realize that not everyone is going to love what we do all the time, and we understand that. But sending feedback, and suggesting segments is a much better avenue than “this sucks and so do you” kind of comments.

    As I sit here and write this in the podcasters lounge of Shmoocon, I’m truly humbled by the number of people who have come up to us and said that they enjoy the show, and are glad to have gotten the chance to meet us in person.

    We’re not celebrities. We all have day jobs, we all work 40+ hours a week, and on top of that create a weekly IPTV show that people enjoy. We’re not superhuman, we’re just like you, and I personally wouldn’t have it any other way.

    If you’ve stuck with this post for this long you deserve a medal of honor 😉

  • anonymous coward

    Really sorry for jumping the gun, Matt.
    On the plus side, you’re a good actor with the whole rage bit.
    A heh…

  • dennis waters

    I think the show is great. The ‘staged ending’ I assumed was real at the time and that it was put in because the cast saw the funny side afterwards!

    Episodes I wish were longer, I could watch this kind of stuff all day 🙂 but ofc I appreciate you have lives to live too.

    Would love some more tech-y stuff in the show, ha(c)ks, forensics, etc. My one contribution off the top of my head as I am writing this for a segment idea (or multiple segments probably) is a “roll-your-own-linux-from-source” tutorial (not just some ubuntu (ARGHH!!) remaster). That would really interest me.

    Shannon is awesome 🙂 again, if she participated more than just “hak5 is brought to you by godaddy.com blah blah blah” and “this weeks lan party is quake3 etc etc”, im sure people would respect her as a part of hak5 more than I sometimes read in comments and the forum. rainbow tables segment, although seemed trivial to me, showed she can do it! bring her in more, even teamed up with darren/matt/etc would be good (are darren+shannon togther btw? offtopic I know, but I just get that feeling when they are together on the show)

    Darren’s PHP makes me smile 🙂

    Get a new table (like that other guy said)! that wobbling scares me too

    Thats about all thats on my mind about the show at the moment, I filled in the survey, wish Id been warned that free preview was some random music show before I spent 2 hours downloading it 🙁 yeah my internet speed sucks.

  • TheHermit

    As always guys a great show. been a little late watching this episode got stuck in a field with no bandwidth for two weeks. in the car now streaming the vid as i drive home.
    one thing i would like to see is a few more mods like the arcade cabinet and the guitar mod.

    thats enough from me lookin forward to my next dose of technolust

  • 3Tek

    I’ve been using PFSense for years…what made you finally talk about it now? I’m not trying to be a dick or anything, but it’s not new by any means.

  • kYd

    I have been watching Hak since the very first episode and I personally think that each season has and is getting better and better, same goes too for the cast, (Yay for the hot-tech chicks!!) Although I do miss Harrison and Wess.

    I agree about the ‘underground’ feel that seasons 1-3 had but I like the direction it’s going in, and anyway what does that matter as long as content is good, which for the most part gets my vote!

    I’m dying to watch the last 2 eps, now if only I can figure out what I’ve done to my Fedora sound garrrr….oh well it’s 3AM my technolust can wait till the morning.

    Cheers to all you hak5 guys!

  • Ken Reynolds

    I just discovered Hak.5 back in November, 2008, during Season 4 episodes. Don’t want to sound dramatic, or anything, but it was a turning point for me in my ambitions as an IT geek. I’ve been doing the whole NOC engineer, datacenter tech, PC tech thing as a job now for quite a while and have been getting a little bored with it of late. I have always been interesting in security engineering and hacking, and how the two interplay.

    In comes Hak.5. You guys have presented information that has re-kindled my interest and passion for network and security engineering. The Jasager + FON stuff really sparked my interest and it’s just been a fun ride since then with lots of cool technolust.

    I don’t really care to comment about who is on the show, or about the visual asthetics of the show, or how it feels, etc. I think it looks great, sounds great, and everybody that comes on camera does a fantastic job; some people are not as comfortable in front of a camera as others and that is cool.

    Thanks for taking the time out of busy work and life schedules to provide a FREE IPTV show for those of us who are truly passionate about learning this stuff and geeking out with it on a daily basis.

  • penis enlargement

    (All-Natural Herbal Sexual Enhancement Products) Discover penis enlargement products and methods: There are penis exercises, penis devices, penis patches and top rated best penis enlargement pills – Permanent penis enlargement through penis erection pills, buy vigrx plus male enhancement pills increase penis size with bigger your penis. More info penis health at http://www.male-sexual-styles.com

  • Natural Penis Enlargement Pills Product

    Penis Enlargement Through Penis Pills and Natural Penis Enlargement Pills Product
    Do penis pills work?Penis Enlargement Pills reviews 3 best penis pills in the industry Read :
    VigRX Plus : http://www.vigrxplus.com/?a=bestpenisenlargement
    Vimax Pills : http://track.oainternetservices.com/doIn?id=503845&trackId=General&storeId=500014
    Prosolution Pills : http://www.prosolutionpills.com/?a=150711

    more information:

  • Penis enlargement

    Penis enlargement by Naturalherbalz will improve every aspect of your life immensely. As long as you make use of all the resources available to your through this site, your visit here will not be in vain. We offer you the best penis enlargement methods you can attain on the market today at http://www.Naturalherbalz.comPenis enlargement by Naturalherbalz will improve every aspect of your life immensely. As long as you make use of all the resources available to your through this site, your visit here will not be in vain. We offer you the best penis enlargement methods you can attain on the market today at http://www.Naturalherbalz.com

  • Victor

    Matt, what happened to the future segments on PFsense? You guys go an amazing job, just sometimes you guys make empty promises…. and that makes me sad and disappointed.

  • term paper help

    It is an excellent post. You have written it very well. It has helped me a lot in my research. Keep on posting such articles. I will tell my friends about your website. Thank you.

  • Colon Health Plus Review

    I do trust all of the ideas you have presented to your post.
    They’re really convincing and can certainly work. Nonetheless, the posts are too brief for beginners.

    May just you please extend them a bit from next time?
    Thanks for the post.

  • Garcinia Vital

    Wonderful website you have here but I was wondering if you
    knew of any user discussion forums that cover the same topics discussed
    in this article? I’d really love to be a part of community where I can get responses from other knowledgeable individuals that share the same interest.
    If you have any suggestions, please let me know.

  • Get Natural Ceramides

    certainly like your website but you have to test the spelling on quite a few of your posts.
    A number of them are rife with spelling issues and I to find it
    very troublesome to inform the reality however I’ll certainly come again again.

  • Xtreme Muscle Gain

    Simply desire to say your article is as amazing. The clarity on your put up is simply nice
    and that i can assume you’re an expert on this subject.
    Fine along with your permission let me to grasp your
    feed to stay up to date with forthcoming post. Thank you
    a million and please continue the rewarding work.

  • dbsrvse

    s? powolne opowiedzie? ca?o?? kwestii weselnych, ca?kowicie
    z cielesnymi, gdyby ogarniaj? ?e wezwanie si? na nie
    spowoduje im specjaln? pomy?lno??. S? gwa?townie beznami?tne dodatkowo je?li oczywi?cie wtedy potrafi? zauroczy? – uparte.
    W 4 ewenementach na 5 osobi?cie porwane stanowiskiem postanowie? do zgromadzonego blasku.

  • LamarNMulherin

    I think this is among the such a lot significant info for me.
    And i’m glad reading your article. However should observation on some normal things, The web site style is great, the
    articles is in reality excellent : D. Just right job, cheers

  • EldenHSheffler

    Good day! I could have sworn I’ve visited this site before but after going through some of the posts I
    realized it’s new to me. Regardless, I’m definitely pleased I came across
    it and I’ll be bookmarking it and checking back regularly!

  • Simpson Post Bases

    Howdy! This pst could not be written any better! Going through this article reminds me of my previoous roommate!
    He continually kept talking about this. I am going to forward this post to him.
    Fairly certain he’s going to have a good read.

    I appreciate you for sharing!

  • Deri

    I think It doesn’t matter if they deserve or not a job at McDonalds. What is important is that if they want to do this, they can do it.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>