Abstract
A USB mass storage device yields a lot of artifacts when connected to a system. These artifacts are persistent in nature and are retained even after the system has been shut down and the information they contain may assist in carrying out forensic analysis on a suspect system. In this paper, we demonstrate how Windows Event Viewer can be used to find forensic artifacts in a suspect system for investigative purposes. We also discuss the potential that Windows registry holds to identify USB devices’ information that have been connected to the system, to corroborate our findings from Windows Event Viewer. Finally, we use the Windows 10 file system to extract log details that contain the setup information of a USB device that was connected to the system the very first time, and obtain the necessary identifiers and time stamp details.
Subject
Electrical and Electronic Engineering,Computer Networks and Communications,Hardware and Architecture,Signal Processing,Control and Systems Engineering
Reference16 articles.
1. Tracking USB storage: Analysis of windows artifacts generated by USB storage devices
2. Universal Serial Bus Specificationhttp:sdphca.ucsd.edulab_equip_manualsusb_20.pdf
Cited by
2 articles.
订阅此论文施引文献
订阅此论文施引文献,注册后可以免费订阅5篇论文的施引文献,订阅后可以查看论文全部施引文献
1. Safeguarding Log Data Integrity: Employing DES Encryption Against Manipulation Attempts;2023 4th International Conference on Intelligent Technologies (CONIT);2024-06-21
2. Automatic Forensic Imaging of a Virtual USB Device with Emulated User Interaction;2022 10th International Symposium on Digital Forensics and Security (ISDFS);2022-06-06