Universal Serial Bus flash drives, commonly known as USB flash drives are the most common storage devices which can be found as evidence in Digital Forensics Investigations. Digital forensic investigation involves following a defined procedure for investigation which needs to be performed in such a manner that the evidence isn’t destroyed.
The usage of USB drives in place of work may let nasty employees remove sensitive or confidential information from a system without any authorization. To resolve this issue, forensic examination of systems comes into the picture.
Using Registry Editor
It is a manual method to easily list the information of the last plugged-in USB storage devices. Press ‘Windows+R’ and type Registry Editor. This information can be found in the Windows registry at:
Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR |
The details like the last plugged-in USB devices, the vendor of the USB, the name of the product, serial number, and version name can be seen.
Using PowerShell
This is a manual method to find artifacts. The same path can be used in the PowerShell to get the information on the last plugged-in USB, with the following command:
Get-ItemProperty -Path HKLM:\SYStem\CurrentControlSet\Enum\USBSTOR\*\* | Select FriendlyName |
Using USBDeview
To use an automatic method to find artifacts, you can download USBDeview. This tool gives you an automated and graphical representation understanding of what USB devices were connected to the system.