Windows 8 Forensics: USB Activity

Monday, December 03, 2012

Dan Dieterle

B64e021126c832bb29ec9fa988155eaf

Article by Ethan Fleisher

When I started working on Windows 8 USB drive forensics, I assumed it would be pretty similar to Windows 7. I created a fresh Windows 8 VM and plugged a thumb drive into my local system. Like normal, the VM recognized it as it should.

At this point I shut the VM down and opened it in EnCase to examine what happened. All of the findings were similar to Windows 7 USB forensics, and much like the recycle bin, proved nothing exciting.

Here are the results.

(The original post for this can be found on the Patrick Leahy Center for Digital Investigation blog.)

Mounted devices tab (click image to enlarge):

System\currentcontrol\enum\usbstor (click image to enlarge):

 

Setupapi.dev.log (click image to enlarge):

 Software\microsoft\windows portable devices\devices – friendly name link (click image to enlarge):

 

These keys are all the same as Windows 7, therefore it should be smooth sailing to continue producing USB activity results.

About the Author:

Ethan Fleisher is a Senior majoring in Computer and Digital Forensics at Champlain College. Originally from Carlisle, Pennsylvania, Ethan currently works as a Forensic Intern and System Administrator at the Senator Patrick Leahy Center for Digital Investigation where he is involved in real life investigation forensic analysis, network and system administration, and forensic research. Ethan has spent close to the last year researching the Microsoft Windows 8 OS with focus on revealing new artifacts and attempting to confirm previous methodologies.

Cross-posted from Cyber Arms

Possibly Related Articles:
11678
Network->General
Information Security
Forensics Operating Systems Network Security Windows 8
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.