13.1 USBSTOR

00:00

hello and welcome back to the course In the previous model, we analyzed some of the we lost artifacts or key location in the system for the restructure where investigator can find potential evidence. We talk about how information sent to use the devices can be very important in this mortal.

00:18

We're going to dig into these by analyzing the history of USB devices. The have been plugged into the system.

00:26

USB device History can be a great source off evidence with an examiner needs to the term e If on why an external device was connected to a system,

00:38

it can also help investigators understand how USB devices have been used on a given system. On possibly explain how a suspect may have used a USB device in the Commission off a crime or easy It

00:55

U S V device analysis come very depending on the version off the radio system on the type of USB device connected, it can be used. The master's device. Remove the storage or MTP device.

01:10

The type of device will dictate which drivers have been installed on the system on how well those handless the device

01:19

youthfully examiners will find variable evidence in USB mass Torres devices, but should still be familiar with other device types on how they're 100.

01:30

Typically for us, be Masters devices. Examiners need to collect details from multiple locations in orderto underlies USB activity on a Windows Machine

01:44

registry Keys Track East Mountain volume on a sign drive later used by the NT F S. Five system. Information concerning any external devices. Socially useful devices, CD DVD rooms, external memory cars, digital cameras, among others

02:02

that had previously been attached. The system

02:07

will be recorded in certain trees. Three keys

02:09

on a life system, regulate or for Easter. Commander, come be room for a USB device to access these keys.

02:19

Please note that inserting this USB device will also make changes to the registry. The keys can be exported directly from life system on saved US readable text fights.

02:31

The suit keys are the serial numbers off devices that have been attached to the system.

02:38

Issue off the suit keys. We record the most recent time I use Villa Vice was attached on will also provide the date on time that the device was originally attached to the system.

02:53

Whenever any device is connected to a USB port, drivers are queried on a suit key, which includes the device. Name is created under these key.

03:04

Another suit key consistent off the serial number off the device is also created.

03:09

The first and last times that each device was attached are also recorded it. Sookie.

03:19

Yes, The store contains details on the vendor on brand off the USB device connected along with the serial number off the device whose can be used to mash the mounted rife letter. You, sir, on the first and last connected times off the device.

03:37

The amount of devices key allows investigators to mash the device serial number to the Given Dr Player or volume that WAAS mounted when the U. S V device was inserted.

03:50

If several U. S V devices have been added, examiners may not be able to identify the drive letter. Since the March, Dr Letter will only display the serial number for the most recently mounted device.

04:05

The mountain boys, too

04:08

we reveal with user waas look in on active. When the U. S V device was connected,

04:15

Mount points to lead off the device I d. S there are particular use are connected, so you may need to search through is anti user, though that high on the system tau identify with user connected a particular device.

04:31

The USB key from the system's haIf provide examiners with Bender on Brooke I. The information for a given device on also identifies the last time the USB device was connected to the system.

04:46

You think the last right time on the key off the device serial number examiners can identify the last time it was connected.

04:57

The file used be stored that sees is located in the folder see Windows System 32 drivers.

05:05

We can use special tools to analyze the content off it.

05:12

Okay, here is the most nights I smell question for you.

05:15

Whiskey allows investigators to mash the device serial number to the Given Dr letter or volume that was mounted when the U. S V device was inserted. Is it a mounted devices or be mounted rise? Or maybe sea mounts? Points toe? Or maybe the mount discs, too.

05:34

If you said a you're correct, B is not a real softie, explains say musty. The answer, see refers to the information about the user that wasthe lot in on active. When the USB device was collected.

05:49

Reese turkeys are an important source of information and compound. So significant evidence in a forensic examination. Now we we strife. We're connected in a crime. Good, soft, many mysteries

06:03

because most of the time the information in the drive is not available in the local machine.