All SDF courses may now be found at SUMURI.COM. This course will remain live in UDEMY for existing students.
Have you ever been asked to find out what the "F" drive is? Have you ever needed to prove a USB drive was attached to a target system? Collecting and presenting this information is a core skill all computer forensic analysts need know. If you have ever struggled with this then this class is for you. This course breaks down the process of collecting and interpreting the data necessary to make the connection between USB device and Windows systems.
Using all freely available tools, this course walks you through the process of identifying USB devices that have been attached to a system and shows you how to determine the times they were attached, what the volume names are, what the assigned drive letters were and which user mounted the USB volumes - all of this in about an hour.
Our goal is to answer certain questions about the attached USB devices on our target system. In addition, I list the tools we are going to use.
You will be provided with test files for the class. In this section I will walk you through how I set up the test files to put some context behind the data we will extract from the artifacts.
This is a brief overview of the Windows artifacts we will be analyzing.
Overview of the artifacts that store details about the serial numbers of attached USB devices and the time those devices were first attached to the Windows system.
This section provides a brief overview of what VIDS and PIDS are and how to resolve them.
Brief overview of how to identify the volume drive letters of attached USB devices.
Brief overview of how to identify USB GUIDs.
A brief overview of how to identify the name of an attached USB volume.
A brief overview of how to tie in user activity to an attached USB.
An overview of the artifact that tells us the last time a USB device was attached since last boot.
Conclusion of the data we have harvested using this method.
Forensic tools and Windows artifacts I will be using for the exercises.
Do not forget to turn on the ability to view hidden files and folders on your test system.
About the USB worksheet I will be using.
In this section I navigate to the location of the evidence files we need to resolve USB evidence. This is something that you will do in practice so I thought I would include it so you can see exactly where to go and what to extract.
USBView is a freely available tool that can be used to gather details about attached USB devices on a live Windows system. You may also use it for validation purposes.
This section shows the step-by-step process of identifying attached USB serial numbers and the times these USB devices were first attached to a Windows system.
It is important to be able to identify the correct CurrentControlSet in the System hive and in this section I show you the steps to do it.
The first time a USB device was attached to a Windows system is also recorded in the Setupapi.dev.log file. In this next section we take a closer look.
In this section we look at the artifact that identifies the Vendor identification number (VID) and Product identification number (PID) as well as how to find out more information about the USB device based on this information.
This section covers how to identify the volume drive letter of the attached USB device.
Next up is obtaining the GUIDs for our attached USB devices. This will help us associate the USB activity we have identified thus far with a specific user account.
In this section we are going to look at the artifact that records the name of the USB volume.
This section covers the artifact we examine in order to determine which user account is responsible for certain USB activity.
This section examines the artifact that indicates the time the device was last attached after the most recent start-up process.
Let's review the information we harvested from each of the Windows artifacts.
Here is a worksheet with the answers to the practical assessment.
Thanks for taking this class, I hope you enjoyed it.
Check out the SDF Blog at http://sumuri.com/category/surviving-digital-forensics/
Follow me on Twitter: https://twitter.com/LeclairDF
Over twelve years of experience as a Computer Forensic Analyst, author and developer of computer forensic training and analysis tools. Specialties include: Windows forensics, Mac forensics, iOS forensics, Mac Server forensics & mobile device forensics. Creator of the "Surviving Digital Forensics" series and part of SUMURI's RECON for Mac OS X development team.
Certifications include: CFCE, CISSP, CCE, EnCE, A+, Network+
Regularly instruct law enforcement, government and corporate investigators both nationally and internationally in computer forensics.