Windows USB Forensics

October 19, 2016 | Views: 6988

Begin Learning Cyber Security for FREE Now!

FREE REGISTRATIONAlready a Member Login Here

Today, I’m going to tell you about windows usb and removable media forensics. Whenever we connect some external removable media device to a laptop or pc,  generates registry entries which contains a lot of information like device name, device type, its manufacturer name as well as information about the last  device connected to the pc. This type of information is very useful while doing forensics of computers and creating a chain of events for solving a cyber crime or any prohibited activity on that particular pc. We can collect information about all the devices that have ever been connected to the pc.
The registry entries for USB are stored at the following locations in registry. One can go to registry by Ctrl+R and typing “regedit” in the run and then pressing “Enter” .

HKLMSystemCurrentControlSetEnumUSBTOR

And

HKLMSystemCurrentControlSetEnumUSB

One can go to these locations to manually examine these registry entries. But with the help of tools, this task becomes very easy. One can use the tools like USBDeview and USBHistorian to analyze these entries. Below is the picture of USBDeview.

windows usb forensics

As you can see, this tool presents all the information in easy to read format. Another thing I like about this tool is that you can filter the results by going into the “options” and selecting the desired option. Another worth mentioning thing about this tool is that one can generate HTML reports. It is freely available on the internet. One can visit www.nirsoft.net and download this tool.

Share with Friends
FacebookTwitterGoogle+LinkedInEmail
Use Cybytes and
Tip the Author!
Join
Share with Friends
FacebookTwitterGoogle+LinkedInEmail
Ready to share your knowledge and expertise?
24 Comments
  1. I did not understand Can you make a video application, my stadium Thank you

  2. Doesn’t really cover forensics.

    All you have shown is the first step of seeing what devices have been connected to the computer in the registry. You haven’t covered the text ini files you need to check when to establish when the usb device was first and last connected to the computer (essential for building a timeline) or where you need to look in the registry to ascertain which user plugged the usb device in.

    Poor job! More an advert for a particular tool than a tutorial

  3. Simple and Straight forward. good one.

  4. good to know, thank you

Page 5 of 5«12345
Comment on This

You must be logged in to post a comment.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Cybrary On The Go

Get the Cybrary app for Android for online and offline viewing of our lessons.

Get it on Google Play
 

Support Cybrary

Donate Here to Get This Month's Donor Badge

 
Skip to toolbar

We recommend always using caution when following any link

Are you sure you want to continue?

Continue
Cancel