USB Forensic “Roadmap”

Posted on February 13, 2015 by HatsOffSecurity

As I have been researching and investigating USB Forensics I put together a “Roadmap” for my own personal reference. I made it using Maltego Case File and refer to it every now and then when I am attempting to remember which artefacts lead to which artefacts!

This was designed around Windows 7/8.

The Disk Signature part is something I haven’t written about yet, but basically if you have a machine which does not have Readyboost turned on (usually when an SSD is present) then you will lose some artefacts. The disk signature would therefore replace the Volume Serial Number to prove if the disk has been formatted. There is a little more to it than that, as well as a couple of caveats, but I will save that for another blog post 🙂

For now, the USB Forensic Map

USB_Forensics

Advertisement
This entry was posted in Cyber, Research, USB Forensics, Windows Forensics and tagged , , , , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s