top of page

USB Forensics

Universal Serial Bus flash drives, commonly known as USB flash drives are the most common storage devices which can be found as evidence in Digital Forensics Investigations. Digital forensic investigation involves following a defined procedure for investigation which needs to be performed in such a manner that the evidence isn’t destroyed.

The usage of USB drives in place of work may let nasty employees remove sensitive or confidential information from a system without any authorization. To resolve this issue, forensic examination of systems comes into the picture.

Using Registry Editor

It is a manual method to easily list the information of the last plugged-in USB storage devices. Press ‘Windows+R’ and type Registry Editor. This information can be found in the Windows registry at:


The details like the last plugged-in USB devices, the vendor of the USB, the name of the product, serial number, and version name can be seen.


Using PowerShell

This is a manual method to find artifacts. The same path can be used in the PowerShell to get the information on the last plugged-in USB, with the following command:

Get-ItemProperty -Path HKLM:\SYStem\CurrentControlSet\Enum\USBSTOR\*\* | Select FriendlyName


Using USBDeview

To use an automatic method to find artifacts, you can download USBDeview. This tool gives you an automated and graphical representation understanding of what USB devices were connected to the system.

23 views0 comments

Recent Posts

See All

Absolutely everything is connected to the internet these days, from TV to smart light bulbs, from mobile devices to smart cars. Given those ads and ad trackers are everywhere on the Internet, a browse

Can you explain the difference between symmetric and asymmetric encryption? When would you use one over the other? Answer: Symmetric encryption uses a single key to both encrypt and decrypt data, whil

Nuclei is an open-source tool that allows security researchers and penetration testers to automate the process of finding vulnerabilities in web applications. It works by sending HTTP requests to a ta

bottom of page