USB devices are one of the most widely used storage devices due to their speed, large storage capacity, small size, mobility and more. The advantages of USB devices are indisputable; however, they are also considered as a main security threat to businesses as well as individuals. USB devices can be used to perform a variety of malicious activities including confidential data leakage and malware or viruses propagation. Hence, it is important to be able to retrieve information related to the USB devices that have been connected to a system.
USB device history can be an excellent source of evidence during an investigation. Examiners may find themselves in need to identify which USB device(s) were plugged into a machine and how they have been used. This information is particularly important in cases involving malicious activities such as data leakage or intellectual property theft. USB Forensics artifact retain information such as the USB device serial number, vendor ID, product ID, and timestamps (ex. first install date and last insertion date).
USB devices analysis can vary depending on the Windows flavor and the type of USB device that has been
connected to the system. However, artifacts related to USB devices can be retrieved from the Registry hives
at the
following locations:
This section discusses how to use ArtiFast Windows to analyze USB Forensics artifacts from Windows machines and what kind of digital forensics insight we can gain from the artifacts. After you have created your case and added evidence for the investigation, at the Artifacts Selection phase, you can select USB Forensics artifact:
Once ArtiFast parser plugins complete processing artifacts for analysis, it can be reviewed via “Artifact View” or “Timeline View”, with indexing, filtering, and searching capabilities. Below is a list of the details you can view using USB Forensics artifact in ArtiFast Windows.
USB Forensics Artifact
This artifact contains information about the USB devices that have
been connected to the system. The details you can view include:
For more information or suggestions please contact: asmaa.elkhatib@forensafe.com