Today, I’m going to tell you about windows usb and removable media forensics. Whenever we connect some external removable media device to a laptop or pc, generates registry entries which contains a lot of information like device name, device type, its manufacturer name as well as information about the last device connected to the pc. This type of information is very useful while doing forensics of computers
and creating a chain of events for solving a cyber crime or any prohibited activity on that particular pc. We can collect information about all the devices that have ever been connected to the pc.The registry entries for USB are stored at the following locations in registry. One can go to registry by Ctrl+R and typing “regedit” in the run and then pressing “Enter” .
One can go to these locations to manually examine these registry entries. But with the help of tools, this task becomes very easy. One can use the tools like USBDeview and USBHistorian to analyze these entries. Below is the picture of USBDeview.
As you can see, this tool presents all the information in easy to read format. Another thing I like about this tool is that you can filter the results by going into the “options” and selecting the desired option. Another worth mentioning thing about this tool is that one can generate HTML reports. It is freely available on the internet. One can visit www.nirsoft.net and download this tool.