One of the key elements in the forensics analysis triage is dealing with USB inserted devices. The importance of uncovering artifacts associated with inserted USB devices is simple: it’s one of the most common, quickest and easiest means of stealing company intellectual property. Moreover, because the user doesn’t need to login to any system, e.g., e-mail, or cloud storage accounts, there is a misconception that copying to a USB device will leave little to no trace.
Behold: USB devices have serial numbers or unique instance identifiers and operating systems like Windows record certain insertions along with the date and time, and the Windows’ users’ profile under which the insertion occurred. Additional related artifacts include the disk drive letter Windows assigned to the USB device; the volume seral number and label of the formatted disk; the device friendly name (aka model) and vendor’s name. Finally, an ancillary and very useful related item is the LNK (link) file or shortcut file, which is created when opening a document from the removable USB device.
After parsing out all of the USB associated artifacts, the analyst is able to document signatures revealing actions such as which files were opened from the USB, along with chronology. Even if no LNK files were created from file access to the USB device, a review of accessed, modified and created documents just after insertion can be strong circumstantial evidence.
For additional information contact e-forensics at our website or call (305) 667-4603.