SANS Digital Forensics and Incident Response Blog: Tag - usb

Computer Forensic Guide To Profiling USB Device Thumbdrives on Win7, Vista, and XP

Several times over the past year it has come up in a discussion about the key differences between examining USB Key/Thumbdrives on XP, VISTA, and Windows 7. We did an initial post several weeks ago, but found some new information and have updated our guides as a result. Thanks to SANS Digital Forensic Instructor Colin Cree for the wonderful feedback.

As a part of the SEC408: Computer Forensic Essentials course, we have an extensive section on residue left by USB Devices. I am providing a single guides to help you answer the key USB Key/Thumbdrive questions for your case covering XP, VISTA, and Win7.

The NOISY U3 Thumb Drive File Access behavior in Windows

So I have a timeline analysis. What file activity should I see when someone inserts a U3 type USB thumb drive in a computer? And why should I care?

I care because files accessed on the hard drive, or the "Recent Documents" history, may tie directly to the actual time the thumb drive was plugged in. It turns out that U3 thumb drives actually run programs and create logs when plugged in. This means you have file creation and/or modification all the time the drive is inserted. Not only that, but cleanup routines run after it is pulled out, whether you exit nicely or just jerk it out.

You may wish to corroborate other evidence you have, from the registry for example, concerning the insertion of a particular drive. Or you may find files or file remnants that will give you more information about the thumb drive that was inserted. To understand what happens on insertion, and to know where to look for files, I have used Filemon1 and recorded the file activity that

... Continue reading The NOISY U3 Thumb Drive File Access behavior in Windows