SANS Digital Forensics and Incident Response Blog: Tag - U3

The NOISY U3 Thumb Drive File Access behavior in Windows

So I have a timeline analysis. What file activity should I see when someone inserts a U3 type USB thumb drive in a computer? And why should I care?

I care because files accessed on the hard drive, or the "Recent Documents" history, may tie directly to the actual time the thumb drive was plugged in. It turns out that U3 thumb drives actually run programs and create logs when plugged in. This means you have file creation and/or modification all the time the drive is inserted. Not only that, but cleanup routines run after it is pulled out, whether you exit nicely or just jerk it out.

You may wish to corroborate other evidence you have, from the registry for example, concerning the insertion of a particular drive. Or you may find files or file remnants that will give you more information about the thumb drive that was inserted. To understand what happens on insertion, and to know where to look for files, I have used Filemon1 and recorded the file activity that

... Continue reading The NOISY U3 Thumb Drive File Access behavior in Windows