Surviving Digital Forensics: Resolving Attached USBs
4.3 (28 ratings)
Instead of using a simple lifetime average, Udemy calculates a course's star rating by considering a number of different factors such as the number of ratings, the age of ratings, and the likelihood of fraudulent ratings.
232 students enrolled
Wishlisted Wishlist

Please confirm that you want to add Surviving Digital Forensics: Resolving Attached USBs to your Wishlist.

Add to Wishlist

Surviving Digital Forensics: Resolving Attached USBs

A forensic guide for linking USB activity to Windows computer systems
4.3 (28 ratings)
Instead of using a simple lifetime average, Udemy calculates a course's star rating by considering a number of different factors such as the number of ratings, the age of ratings, and the likelihood of fraudulent ratings.
232 students enrolled
Created by Michael Leclair
Last updated 5/2015
English
Price: $150
30-Day Money-Back Guarantee
Includes:
  • 1 hour on-demand video
  • 5 Articles
  • Full lifetime access
  • Access on mobile and TV
  • Certificate of Completion
What Will I Learn?
  • Learn to find information about attached USB devices on Windows 7 & Windows 8 systems
  • Learn how to tie a specific User account to USB activity
  • Learn to identify when USB devices were first and last attached to the system
  • Learn how to discover the volume name and assigned drive letter of attached USB devices
  • Learn how to extract data that will identify the make and model of attached USB devices
  • Learn to do all of this using freely available computer forensic tools
View Curriculum
Requirements
  • Windows 7+ computer system
  • Basic computer forensic fundamentals
  • Basic Windows forensics fundamentals
Description

All SDF courses may now be found at SUMURI.COM. This course will remain live in UDEMY for existing students.

Have you ever been asked to find out what the "F" drive is? Have you ever needed to prove a USB drive was attached to a target system? Collecting and presenting this information is a core skill all computer forensic analysts need know. If you have ever struggled with this then this class is for you. This course breaks down the process of collecting and interpreting the data necessary to make the connection between USB device and Windows systems.

Using all freely available tools, this course walks you through the process of identifying USB devices that have been attached to a system and shows you how to determine the times they were attached, what the volume names are, what the assigned drive letters were and which user mounted the USB volumes - all of this in about an hour.

Who is the target audience?
  • Computer forensic analysts
  • IT Professionals
  • Students
Students Who Viewed This Course Also Viewed
Curriculum For This Course
35 Lectures
01:01:11
+
Introduction
3 Lectures 11:47

A little bit about this course and what we will be doing.

Preview 03:34

Some tips to maximize your training.

Preview 03:08
+
Overview of the Analysis Process
11 Lectures 17:26

Our goal is to answer certain questions about the attached USB devices on our target system. In addition, I list the tools we are going to use.

Task at-Hand & Tools
01:50

You will be provided with test files for the class. In this section I will walk you through how I set up the test files to put some context behind the data we will extract from the artifacts.

Experiment Setup - Optional
02:55

This is a brief overview of the Windows artifacts we will be analyzing.

Forensic Artifacts
01:28

Overview of the artifacts that store details about the serial numbers of attached USB devices and the time those devices were first attached to the Windows system.

USB Serial Numbers & First Time Attached to System
03:41

This section provides a brief overview of what VIDS and PIDS are and how to resolve them.

VIDS & PIDS
01:46

Brief overview of how to identify the volume drive letters of attached USB devices.

Volume Drive Letters
01:13

Brief overview of how to identify USB GUIDs.

GUID Identification
00:42

A brief overview of how to identify the name of an attached USB volume.

Volume Name Identification
00:51

A brief overview of how to tie in user activity to an attached USB.

Tying in User Activity
01:28

An overview of the artifact that tells us the last time a USB device was attached since last boot.

Identifying the Last time USB was Attached
00:36

Conclusion of the data we have harvested using this method.

Harvested Data
00:56
+
Downloads
3 Lectures 00:13
Tools
00:02

Worksheet
00:08

Practical Files
00:02
+
Practical Exercises
15 Lectures 27:30

Forensic tools and Windows artifacts I will be using for the exercises.

Forensic Tools & Artifacts
01:28

Do not forget to turn on the ability to view hidden files and folders on your test system.

View Hidden Files
01:02

About the USB worksheet I will be using.

USB Worksheet
00:41

In this section I navigate to the location of the evidence files we need to resolve USB evidence. This is something that you will do in practice so I thought I would include it so you can see exactly where to go and what to extract.

Evidence Artifact Locations
02:52

USBView is a freely available tool that can be used to gather details about attached USB devices on a live Windows system. You may also use it for validation purposes.

USBView
02:55

This section shows the step-by-step process of identifying attached USB serial numbers and the times these USB devices were first attached to a Windows system.

USB Serial Numbers & First Attached Times
03:28

It is important to be able to identify the correct CurrentControlSet in the System hive and in this section I show you the steps to do it.

Identifying the Correct CurrentControlSet
01:02

The first time a USB device was attached to a Windows system is also recorded in the Setupapi.dev.log file. In this next section we take a closer look.

First Attach Time Recorded in Log File
01:17

In this section we look at the artifact that identifies the Vendor identification number (VID) and Product identification number (PID) as well as how to find out more information about the USB device based on this information.

VID & PID Resolution
03:34

This section covers how to identify the volume drive letter of the attached USB device.

USB Volume Drive Letter
01:50

Next up is obtaining the GUIDs for our attached USB devices. This will help us associate the USB activity we have identified thus far with a specific user account.

USB GUIDS
01:27

In this section we are going to look at the artifact that records the name of the USB volume.

USB Volume Name
01:20

This section covers the artifact we examine in order to determine which user account is responsible for certain USB activity.

Tying in a User Account
02:28

This section examines the artifact that indicates the time the device was last attached after the most recent start-up process.

Last Attached Time Since Boot
01:14

Let's review the information we harvested from each of the Windows artifacts.

USB Worksheet Review
00:52

Comprehension Quiz
7 questions
+
Student Practical Skills Assessment Test
2 Lectures 00:49
Student Practical Assessment
00:47

Practical Assessment Quiz
4 questions

Here is a worksheet with the answers to the practical assessment.

Answers
00:02
+
Conclusion
1 Lecture 03:14

Thanks for taking this class, I hope you enjoyed it.

Check out the SDF Blog at http://sumuri.com/category/surviving-digital-forensics/

Follow me on Twitter: https://twitter.com/LeclairDF

Thank you and final thoughts
03:14
About the Instructor
Michael Leclair
4.5 Average rating
318 Reviews
2,252 Students
15 Courses
Computer Forensic Analyst

Over twelve years of experience as a Computer Forensic Analyst, author and developer of computer forensic training and analysis tools. Specialties include: Windows forensics, Mac forensics, iOS forensics, Mac Server forensics & mobile device forensics. Creator of the "Surviving Digital Forensics" series and part of SUMURI's RECON for Mac OS X development team.

Certifications include: CFCE, CISSP, CCE, EnCE, A+, Network+

Regularly instruct law enforcement, government and corporate investigators both nationally and internationally in computer forensics.