Surviving Digital Forensics: Resolving Attached USBs

A forensic guide for linking USB activity to Windows computer systems
4.4 (24 ratings)
Instead of using a simple lifetime average, Udemy calculates a
course's star rating by considering a number of different factors
such as the number of ratings, the age of ratings, and the
likelihood of fraudulent ratings.
232 students enrolled
Take This Course
  • Lectures 35
  • Length 1 hour
  • Skill Level All Levels
  • Languages English
  • Includes Lifetime access
    30 day money back guarantee!
    Available on iOS and Android
    Certificate of Completion
Wishlisted Wishlist

How taking a course works


Find online courses made by experts from around the world.


Take your courses with you and learn anywhere, anytime.


Learn and practice real-world skills and achieve your goals.

About This Course

Published 4/2015 English

Course Description

All SDF courses may now be found at SUMURI.COM. This course will remain live in UDEMY for existing students.

Have you ever been asked to find out what the "F" drive is? Have you ever needed to prove a USB drive was attached to a target system? Collecting and presenting this information is a core skill all computer forensic analysts need know. If you have ever struggled with this then this class is for you. This course breaks down the process of collecting and interpreting the data necessary to make the connection between USB device and Windows systems.

Using all freely available tools, this course walks you through the process of identifying USB devices that have been attached to a system and shows you how to determine the times they were attached, what the volume names are, what the assigned drive letters were and which user mounted the USB volumes - all of this in about an hour.

What are the requirements?

  • Windows 7+ computer system
  • Basic computer forensic fundamentals
  • Basic Windows forensics fundamentals

What am I going to get from this course?

  • Learn to find information about attached USB devices on Windows 7 & Windows 8 systems
  • Learn how to tie a specific User account to USB activity
  • Learn to identify when USB devices were first and last attached to the system
  • Learn how to discover the volume name and assigned drive letter of attached USB devices
  • Learn how to extract data that will identify the make and model of attached USB devices
  • Learn to do all of this using freely available computer forensic tools

Who is the target audience?

  • Computer forensic analysts
  • IT Professionals
  • Students

What you get with this course?

Not for you? No problem.
30 day money back guarantee.

Forever yours.
Lifetime access.

Learn on the go.
Desktop, iOS and Android.

Get rewarded.
Certificate of completion.


Section 1: Introduction
Welcome to the SDF Series!

A little bit about this course and what we will be doing.


Some tips to maximize your training.

Section 2: Overview of the Analysis Process

Our goal is to answer certain questions about the attached USB devices on our target system. In addition, I list the tools we are going to use.


You will be provided with test files for the class. In this section I will walk you through how I set up the test files to put some context behind the data we will extract from the artifacts.


This is a brief overview of the Windows artifacts we will be analyzing.


Overview of the artifacts that store details about the serial numbers of attached USB devices and the time those devices were first attached to the Windows system.


This section provides a brief overview of what VIDS and PIDS are and how to resolve them.


Brief overview of how to identify the volume drive letters of attached USB devices.


Brief overview of how to identify USB GUIDs.


A brief overview of how to identify the name of an attached USB volume.


A brief overview of how to tie in user activity to an attached USB.


An overview of the artifact that tells us the last time a USB device was attached since last boot.


Conclusion of the data we have harvested using this method.

Section 3: Downloads
Practical Files
Section 4: Practical Exercises

Forensic tools and Windows artifacts I will be using for the exercises.


Do not forget to turn on the ability to view hidden files and folders on your test system.


About the USB worksheet I will be using.


In this section I navigate to the location of the evidence files we need to resolve USB evidence. This is something that you will do in practice so I thought I would include it so you can see exactly where to go and what to extract.


USBView is a freely available tool that can be used to gather details about attached USB devices on a live Windows system. You may also use it for validation purposes.


This section shows the step-by-step process of identifying attached USB serial numbers and the times these USB devices were first attached to a Windows system.


It is important to be able to identify the correct CurrentControlSet in the System hive and in this section I show you the steps to do it.


The first time a USB device was attached to a Windows system is also recorded in the file. In this next section we take a closer look.


In this section we look at the artifact that identifies the Vendor identification number (VID) and Product identification number (PID) as well as how to find out more information about the USB device based on this information.


This section covers how to identify the volume drive letter of the attached USB device.


Next up is obtaining the GUIDs for our attached USB devices. This will help us associate the USB activity we have identified thus far with a specific user account.


In this section we are going to look at the artifact that records the name of the USB volume.


This section covers the artifact we examine in order to determine which user account is responsible for certain USB activity.


This section examines the artifact that indicates the time the device was last attached after the most recent start-up process.


Let's review the information we harvested from each of the Windows artifacts.

Comprehension Quiz
7 questions
Section 5: Student Practical Skills Assessment Test
Student Practical Assessment
Practical Assessment Quiz
4 questions

Here is a worksheet with the answers to the practical assessment.

Section 6: Conclusion

Thanks for taking this class, I hope you enjoyed it.

Check out the SDF Blog at

Follow me on Twitter:

Students Who Viewed This Course Also Viewed

  • Loading
  • Loading
  • Loading

Instructor Biography

Michael Leclair, Computer Forensic Analyst

Over twelve years of experience as a Computer Forensic Analyst, author and developer of computer forensic training and analysis tools. Specialties include: Windows forensics, Mac forensics, iOS forensics, Mac Server forensics & mobile device forensics. Creator of the "Surviving Digital Forensics" series and part of SUMURI's RECON for Mac OS X development team.

Certifications include: CFCE, CISSP, CCE, EnCE, A+, Network+

Regularly instruct law enforcement, government and corporate investigators both nationally and internationally in computer forensics.

Ready to start learning?
Take This Course