USB Device Forensics: Insertion and removal timestamps of USB devices in Windows 8

Abstract

The timeline of the events surrounding an incident being investigated is one of the most important facets to forensic investigation. As a result, sometimes it is crucial to know when a suspect USB device might have been connected or disconnected from a system .A variety of forensic artifacts associated with the insertion and removal of USB devices are located in the windows registry, event logs etc. The existing forensically important locations, methodology and techniques for determining the traces left behind by the usage of USB devices in Windows XP, Vista and Windows 7 may not be the same for upcoming versions of Windows. This work aims to mainly study the forensic artifacts related to insertion and removal time stamps of various Mass Storage Class (MSC), Media Transport Protocol (MTP) and Picture Transport Protocol (PTP) enabled USB devices in Windows 8 operating system. In this paper the Windows 8 registry and Windows event logs were mainly considered as artifacts for analysis. This research explores forensic artifacts aimed to help a forensic investigator in enumerating the first insertion and last removal time stamps of various MSC, MTP and PTP enabled USB devices in Windows 8 computing environment by demonstrating the crucial Windows 8 registry keys , event logs and related metadata.