- Contact Us
The questions almost every digital forensic analyst is asked usually begin with, “Can you find __________?”. And the answer is almost always maybe, or, it depends.
I am also often asked, “Can you find out if documents or data were transferred from a computer to a USB, or external storage device?” Without examining the actual USB device, again, the answer is maybe. When you save and store documents / data on your computer, you leave artifacts on a certain time and day. This gets recorded in the registry. In addition, when you plug in a USB or other storage device, you create new artifacts within the registry. When a user installs a USB device, the operating system looks for the Vendor ID and Product ID in the file usbstor.inf and loads the driver, creating artifacts.
USB device analysis varies depending on type of device and the operating system it is interacting with. Examiners collect USB information from various locations in order to analyze USB activity on a computer, and ultimately tying use of a device to a specific user account. The locations are as follows:
Match the ContainerID for any volume to a MountPoint stored in the NTUSER.DAT file for a specific user account to tie a device to a user. The analysis of data stored in these locations, as well as other Windows Artifacts (e.g. Windows Shortcuts, ThumbCache, and many others) will help an investigator create a timeline of events that could possibly point to if / when a document could have been transferred to the USB. If data was created, downloaded, or saved and then deleted on the same day / time a USB was connected and disconnected, one could propose the data is on that USB.
The Compass IT Compliance Digital Forensics Team assists organizations by:
Compass has a team of dedicated forensic analysts that are experienced in the collection, preservation, and analysis of digital evidence related to security incidents. This process requires a unique set of skills that not only helps you understand all aspects of the incident but that also follows law enforcement guidelines around proper evidence handling and chain of custody protocols. To discuss your specific digital forensics situation and needs in greater detail, please contact us!