We have often started in the USBSTOR key, and then drilled down to identify the USB device. The issue has to do with incorrect, inconsistent, and poorly documented nomenclatureįor anyone who has been doing forensics for any period of time, you will be familiar with the location of USB device artifacts in the registry. Unfortunately, this evidence often can only withstand scrutiny in the absence of the USB devices being reported. The notion that we can determine what USB devices have ever been attached to a system even though the devices are no longer present, is astonishing to the uninitiated. Remember that usually, USB investigation is happening in the complete absence of any of the USB devices being investigated. When the many, disparate breadcrumbs of usage are pulled together in a coherent assemblage of user activity, the results can be shocking in their clarity. The difficulty comes in attempting to make sense of all this data. Thank you to Daniel Dickerman and Chad Tilbury for initially sending me down this rabbit hole!Įvidence surrounding the use of USB devices is an often sought-after forensic treasure trove, due to its verbosity in the operating system, as well as the Windows Registry.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |