Digital Forensics: USB Forensics > Part II
USB Detective
Description
USB Detective is an application for identifying, investigating, and reporting on USB storage devices that have been connected to a Windows system. Using its consistency level color-coding, USB Detective gives you the ability to quickly distinguish attributes with corroborating data sources from those with potentially misleading or inaccurate timestamps. USB Detective’s findings are organized to allow for a high-level view of USB device activity using the results grid as well as a more in-depth examination using the verbose view.
Website: https://usbdetective.com/
..............................................................................
USBDeview
Description
USBDeview is a small utility that lists all USB devices that currently connected to your computer, as well as
all USB devices that you previously used.
For each USB device, extended information is displayed: Device name/description, device type, serial number (for mass storage devices), the date/time that device was added, VendorID, ProductID, and more...
USBDeview also allows you to uninstall USB devices that you previously used, disconnect USB devices that are currently connected to your computer, as well as to disable and enable USB devices.
You can also use USBDeview on a remote computer, as long as you login to that computer with admin user. Download.
Website: https://www.nirsoft.net/utils/usb_devices_view.html
..............................................................................
Windows USB Storage Parser (usp)
usp is a command line tool that can be scripted to work with other tools. It automates various manual techniques for extracting and analyzing different registry entries and Windows log files, to pull together a report that documents the USB activity on a Windows computer. The report displays a summary of the USB device, timestamps of when the device was initially plugged, last time the device was plugged in, and various other metadata.
There are 5 use-cases that the Windows version of usp handles. It can process USB artifacts from: (a) a live Windows system, ranging from Windows XP up to Windows 2008, (b) an image of a Windows hard drive, (c) extracted registry hives and setupapi logs, (c) an external drive that was mounted and (d) a monolithic VMWare virtual disk file.
..............................................................................
USB Forensic Tracker (USBFT)
Introduction
USB Forensic Tracker (USBFT) is a comprehensive forensic tool that extracts USB device connection artefacts from a range of locations within the live system, from mounted forensic images, from volume shadow copies, from extracted Windows system files and from both extracted Mac OSX and Linux system files. The extracted information from each location is displayed within its own table view. The information can be exported to an Excel file. Download
website : www.orionforensics.com
..............................................................................
USB Historian
Parse USB Connection History
The Microsoft Windows operating systems records artifacts when USB removable storage devices (thumb drives, iPods, digital cameras, external HDD, etc.) are connected. These artifacts can be found in Plug and Play (PnP) log files as well as the Windows Registry.
For a forensic investigator dealing with the theft, movement, or access to data, these artifacts can play a critical role in an investigation. Download.
website : www.4discovery.com/our-tools
..............................................................................
USBDeviceForensics
Info
usbdeviceforensics is a python script to extract numerous bits of information
regarding USB devices. It initially used the information from a SANS blog
(Rob Lee) post to retrieve operating system specific information. It now
has the ability to process multiple NTUSER.dat registry hives in one go.website : http://www.woanware.co.uk/forensics/usbdeviceforensics.html
..............................................................................
sysinsider usbtracker
USBTracker is a quick & dirty coded incident response and forensics Python script to dump USB related information and artifacts from a Windows OS (vista and later).
website : https://github.com/sysinsider/usbtracker
..............................................................................
USBDeviceHistory1.0.1
This module scrapes a series of registry keys for information about USB
devices that have been inserted into the computer. In addition, the
System EventLog is queried for EventIDs 20003 and 20001.
Website : https://www.powershellgallery.com/packages/USBDeviceHistory/1.0.1
Digital Forensics: USB Forensics Part I
หมายเหตุ:เนื้อหาในเว็บไซต์นี้มีขึ้นเพื่อวัตถุประสงค์ในการให้ข้อมูลและเพื่อการศึกษาเท่านั้น* หากมีข้อมูลข้อผิดพลาดประการใด ขออภัยมา ณ ที่นี้ด้วย รบกวนแจ้ง Admin เพื่อแก้ไขต่อไป
ขอบคุณครับ
#WindowsForensic #ComputerForensics #dfir #forensics #digitalforensics #computerforensic #investigation #cybercrime #fraud #USB Forensics
No comments:
Post a Comment