SANS Digital Forensics and Incident Response Blog: Category - USB Device Analysis

RSA 2010 - Digital Forensic Analyst Notebook

The RSA Security Conference was held this week in San Francisco. The conference is jammed packed with sessions, whiteboarding events, demonstrations, and more. Here are my observations and interview sound bites. I was covering RSA San Francisco 2010 as a forensic analyst and co-host of The CyberJungle, a weekly live news and talk program on security, privacy, and the law.

Digital forensics is still the non-sexy topic at RSA Security. There were no dedicated forensics tracks for this conference. But computer forensics were mentioned now and then in session talks, although many times by the audience more than the speakers.

Smart Grid Forensics
For example, there was an industry panel on electric smart grid security standards. The panelists in this session did not have forensics on their agenda, but a member of the audience did. Gerry Brown is an independent forensics consultant.

...


Digital Forensics Case Leads: Carrier updates The Sleuth Kit

Welcome to the second installment of Digital Forensics Case Leads! This edition includes recently released updates to the popular Open Source digital forensics tools, Autopsy and The Sleuth Kit, an article by a lawyer-turned-computer-forensic-examiner and tips for uncovering Linux USB artifacts.

Tools:

  • Brian Carrier released an updated version of The Sleuth Kit (TSK 3.1.0) and its graphical browser based front-end, Autopsy (Version 2.22.) TSK includes HFS+ support and handles sectors that are not 512-bytes each. The current version of TSK also includes NTFS SID data, improved support for GPT partitions, AFFLIB formats and other new features.

Good Reads:


USB Key Analysis vs. USB Drive Enclosure Analysis

Computer Forensic Guide To Profiling USB Drive Enclosures on Win7, Vista, and XP

There has been much talk about USB Device Forensic Analysis. Many assume that analyzing a USB Key will be the same as analyzing a USB Drive Enclosure (e.g. USB Key Analysis = USB Drive Enclosure analysis). This is inaccurate.

USB Drive Enclosure


External

USB Key/Thumbdrive



Computer Forensic Guide To Profiling USB Device Thumbdrives on Win7, Vista, and XP

Several times over the past year it has come up in a discussion about the key differences between examining USB Key/Thumbdrives on XP, VISTA, and Windows 7. We did an initial post several weeks ago, but found some new information and have updated our guides as a result. Thanks to SANS Digital Forensic Instructor Colin Cree for the wonderful feedback.

As a part of the SEC408: Computer Forensic Essentials course, we have an extensive section on residue left by USB Devices. I am providing a single guides to help you answer the key USB Key/Thumbdrive questions for your case covering XP, VISTA, and Win7.