As I have been researching and investigating USB Forensics I put together a “Roadmap” for my own personal reference. I made it using Maltego Case File and refer to it every now and then when I am attempting to remember which artefacts lead to which artefacts!

This was designed around Windows 7/8.

The Disk Signature part is something I haven’t written about yet, but basically if you have a machine which does not have Readyboost turned on (usually when an SSD is present) then you will lose some artefacts. The disk signature would therefore replace the Volume Serial Number to prove if the disk has been formatted. There is a little more to it than that, as well as a couple of caveats, but I will save that for another blog post 🙂

For now, the USB Forensic Map