Blog: SANS Digital Forensics and Incident Response Blog

Blog: SANS Digital Forensics and Incident Response Blog

Computer Forensic Guide To Profiling USB Device Thumbdrives on Win7, Vista, and XP

Several times over the past year it has come up in a discussion about the key differences between examining USB Key/Thumbdrives on XP, VISTA, and Windows 7. We did an initial post several weeks ago, but found some new information and have updated our guides as a result. Thanks to SANS Digital Forensic Instructor Colin Cree for the wonderful feedback.

As a part of the SEC408: Computer Forensic Essentials course, we have an extensive section on residue left by USB Devices. I am providing a single guides to help you answer the key USB Key/Thumbdrive questions for your case covering XP, VISTA, and Win7.

ThumbDrive

How would you examine these keys? We recommend Access Data's Registry Viewer and Regripper. Even though you can get access to the data, there is not a tool that has this process automated yet. The guides will help you step through the keys/values in addition to the files you will need to correctly parse the data.

USB Device Forensics for Windows XP: DOWNLOAD


XP USB Key Guide


USB Device Forensics for Windows VISTA/WIN7: DOWNLOAD


VISTA USB Key Guide

__________________________________________________________________________

Rob Lee is a Director for MANDIANT, a leading provider of information security consulting services and software to Fortune 500 organizations and the U.S. Government. Rob has over 13 years experience in computer forensics, vulnerability discovery, intrusion detection and incident response. Rob is the lead course author and faculty fellow for the computer forensic courses at the SANS Institute.

2 Comments

Posted June 29, 2010 at 3:39 PM | Permalink | Reply

new here

Why are the 2 download links pointing to the same PDF file?

Posted July 11, 2010 at 10:12 AM | Permalink | Reply

Mark Woan

There is a tool: http://www.woanware.co.uk/usbdeviceforensics/

Post a Comment - Cancel Reply






* Indicates a required field.