Buying for a Team? Gift This Course
Wishlisted Wishlist

Please confirm that you want to add Surviving Digital Forensics: Resolving Attached USBs to your Wishlist.

Add to Wishlist

Surviving Digital Forensics: Resolving Attached USBs

A forensic guide for linking USB activity to Windows computer systems
4.4 (24 ratings)
Instead of using a simple lifetime average, Udemy calculates a course's star rating by considering a number of different factors such as the number of ratings, the age of ratings, and the likelihood of fraudulent ratings.
232 students enrolled
Last updated 4/2015
30-Day Money-Back Guarantee
  • 1 hour on-demand video
  • 5 Articles
  • Full lifetime access
  • Access on mobile and TV
  • Certificate of Completion
Have a coupon?

All SDF courses may now be found at SUMURI.COM. This course will remain live in UDEMY for existing students.

Have you ever been asked to find out what the "F" drive is? Have you ever needed to prove a USB drive was attached to a target system? Collecting and presenting this information is a core skill all computer forensic analysts need know. If you have ever struggled with this then this class is for you. This course breaks down the process of collecting and interpreting the data necessary to make the connection between USB device and Windows systems.

Using all freely available tools, this course walks you through the process of identifying USB devices that have been attached to a system and shows you how to determine the times they were attached, what the volume names are, what the assigned drive letters were and which user mounted the USB volumes - all of this in about an hour.

Who is the target audience?
  • Computer forensic analysts
  • IT Professionals
  • Students
Students Who Viewed This Course Also Viewed
What Will I Learn?
Learn to find information about attached USB devices on Windows 7 & Windows 8 systems
Learn how to tie a specific User account to USB activity
Learn to identify when USB devices were first and last attached to the system
Learn how to discover the volume name and assigned drive letter of attached USB devices
Learn how to extract data that will identify the make and model of attached USB devices
Learn to do all of this using freely available computer forensic tools
View Curriculum
  • Windows 7+ computer system
  • Basic computer forensic fundamentals
  • Basic Windows forensics fundamentals
Curriculum For This Course
Expand All 35 Lectures Collapse All 35 Lectures 01:01:11
3 Lectures 11:47

A little bit about this course and what we will be doing.

Preview 03:34

Some tips to maximize your training.

Preview 03:08
Overview of the Analysis Process
11 Lectures 17:26

Our goal is to answer certain questions about the attached USB devices on our target system. In addition, I list the tools we are going to use.

Task at-Hand & Tools

You will be provided with test files for the class. In this section I will walk you through how I set up the test files to put some context behind the data we will extract from the artifacts.

Experiment Setup - Optional

This is a brief overview of the Windows artifacts we will be analyzing.

Forensic Artifacts

Overview of the artifacts that store details about the serial numbers of attached USB devices and the time those devices were first attached to the Windows system.

USB Serial Numbers & First Time Attached to System

This section provides a brief overview of what VIDS and PIDS are and how to resolve them.


Brief overview of how to identify the volume drive letters of attached USB devices.

Volume Drive Letters

Brief overview of how to identify USB GUIDs.

GUID Identification

A brief overview of how to identify the name of an attached USB volume.

Volume Name Identification

A brief overview of how to tie in user activity to an attached USB.

Tying in User Activity

An overview of the artifact that tells us the last time a USB device was attached since last boot.

Identifying the Last time USB was Attached

Conclusion of the data we have harvested using this method.

Harvested Data
3 Lectures 00:13


Practical Files
Practical Exercises
15 Lectures 27:30

Forensic tools and Windows artifacts I will be using for the exercises.

Forensic Tools & Artifacts

Do not forget to turn on the ability to view hidden files and folders on your test system.

View Hidden Files

About the USB worksheet I will be using.

USB Worksheet

In this section I navigate to the location of the evidence files we need to resolve USB evidence. This is something that you will do in practice so I thought I would include it so you can see exactly where to go and what to extract.

Evidence Artifact Locations

USBView is a freely available tool that can be used to gather details about attached USB devices on a live Windows system. You may also use it for validation purposes.


This section shows the step-by-step process of identifying attached USB serial numbers and the times these USB devices were first attached to a Windows system.

USB Serial Numbers & First Attached Times

It is important to be able to identify the correct CurrentControlSet in the System hive and in this section I show you the steps to do it.

Identifying the Correct CurrentControlSet

The first time a USB device was attached to a Windows system is also recorded in the file. In this next section we take a closer look.

First Attach Time Recorded in Log File

In this section we look at the artifact that identifies the Vendor identification number (VID) and Product identification number (PID) as well as how to find out more information about the USB device based on this information.

VID & PID Resolution

This section covers how to identify the volume drive letter of the attached USB device.

USB Volume Drive Letter

Next up is obtaining the GUIDs for our attached USB devices. This will help us associate the USB activity we have identified thus far with a specific user account.


In this section we are going to look at the artifact that records the name of the USB volume.

USB Volume Name

This section covers the artifact we examine in order to determine which user account is responsible for certain USB activity.

Tying in a User Account

This section examines the artifact that indicates the time the device was last attached after the most recent start-up process.

Last Attached Time Since Boot

Let's review the information we harvested from each of the Windows artifacts.

USB Worksheet Review

Comprehension Quiz
7 questions
Student Practical Skills Assessment Test
2 Lectures 00:49
Student Practical Assessment

Practical Assessment Quiz
4 questions

Here is a worksheet with the answers to the practical assessment.

1 Lecture 03:14

Thanks for taking this class, I hope you enjoyed it.

Check out the SDF Blog at

Follow me on Twitter:

Thank you and final thoughts
About the Instructor
3.9 Average rating
288 Reviews
2,245 Students
15 Courses
Computer Forensic Analyst

Over twelve years of experience as a Computer Forensic Analyst, author and developer of computer forensic training and analysis tools. Specialties include: Windows forensics, Mac forensics, iOS forensics, Mac Server forensics & mobile device forensics. Creator of the "Surviving Digital Forensics" series and part of SUMURI's RECON for Mac OS X development team.

Certifications include: CFCE, CISSP, CCE, EnCE, A+, Network+

Regularly instruct law enforcement, government and corporate investigators both nationally and internationally in computer forensics.

Report Abuse