Daily Blog #537: Forensic Lunch Test Kitchen 11/14/18 - USB Artifacts

USB Artifacts by David Cowen - Hacking Exposed Computer Forensics Blog

Hello Reader,

          The test kitchen has returned! Tonight we looked at the new USB artifacts described in yesterdays post https://www.hecfblog.com/2018/11/daily-blog-536-usb-30-external-storage.html and look to see how USB Detective handles the new driver.

Here is what we learned:
  • The DeviceContainers key is the place that glues together the disparate keys you need for a storage device to figure out its properties
  • The USB enum key has the same 83da property GUID for driver installs that provides the install, last insert and last removal dates that USBStor did. 
  • USB Detective properly detected the drives, found the serial numbers, dates of install and even the volume serial number with the assistance of the event logs!

Jason Hale is now going to update USB Detective to get the rest of the data and I'd be happy to provide the same test data to any other developer out there who would also like to update their tools.

You can watch the video here:

Post a Comment