Abstract
A USB mass storage device yields a lot of artifacts when connected to a system. These artifacts are persistent in nature and are retained even after the system has been shut down and the information they contain may assist in carrying out forensic analysis on a suspect system. In this paper, we demonstrate how Windows Event Viewer can be used to find forensic artifacts in a suspect system for investigative purposes. We also discuss the potential that Windows registry holds to identify USB devices’ information that have been connected to the system, to corroborate our findings from Windows Event Viewer. Finally, we use the Windows 10 file system to extract log details that contain the setup information of a USB device that was connected to the system the very first time, and obtain the necessary identifiers and time stamp details.
Highlights
A Universal Serial Bus (USB) is a type of connection that allows multiple USB devices to be connected to a computer system [1]
The USB standard is responsible for defining a software protocol, firmware protocol, and a set of hardware used in communication between a host system and a USB device across a serial bus
In order for any USB device to be used with a host, it goes through a mandatory setup procedure which consist of three steps
Summary
A Universal Serial Bus (USB) is a type of connection that allows multiple USB devices to be connected to a computer system [1]. There has been a considerable price drop in prices of USB devices and cost per storage today is much cheaper in comparison to what it was a decade ago [1] As convenient as these devices are, they are known for security risks. When a USB device is attached to a system, operating system drivers start to collect information from the device and use that information to create unique artifacts in the system itself, which is recorded. This collected information is persistently stored in the system, and in some cases is consistent across different operating systems [1].
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Free) 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
