±Forensic Focus Partners

Become an advertising partner

±Your Account


Forgotten password/username?

Site Members:

New Today: 0 Overall: 33639
New Yesterday: 2 Visitors: 178

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

RSS Feed Widget

±Latest Webinars

USB Forensic Analysis

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts

USB Forensic Analysis

Post Posted: Wed Mar 08, 2017 6:23 am

Hi All

I have a USB (Transcend 64GB) and i would like to know that to which devices/computers this USB has been connected?

Any help will be highly appreciated.  

Senior Member

Re: USB Forensic Analysis

Post Posted: Wed Mar 08, 2017 7:43 am

Hi harshbehl,

Which filesystem is it formatted with? If it's FAT32 I'm not sure if you'll have much luck. If it's NTFS you might be able to find unique SIDs in the Recycle Bin, or in the owner attribute of the files present.  

Senior Member

Re: USB Forensic Analysis

Post Posted: Wed Mar 08, 2017 9:30 am

1. If the file system is FAT you can check the VBR (first sector) to see if it refers to NTLDR (Windows XP and before), BOOTMGR (Windows Vista and later) or IO.SYS (Windows 9x and DOS). This may help identify which OS formatted the file system.

2. If FAT, the volume serial number may give you an idea when the volume was formatted. Craig Wilson has written a paper on this here: www.digital-detective....umbers.pdf

3. If the file system is NTFS you can perform the above check but also check the $Volume file for the $VOLUME_INFOMATION attribute. This will reflect the most recent (NT based) OS to mount the file system. Typically this will be v3.1 for Windows XP and later.

4. If the file system is NTFS you can also check the SIDs associated with files. This may provide a conclusive link back to a specific system (if you have one in mind).

5. Similarly, if the volume contains Windows shortcut files this may contain artefacts linking back to the original system (by name) and ObjectID attributes linking back to the volume files were "born" on.

Harry Parsonage has written about this here: computerforensics.pars...oflife.pdf

Paul Sanderson has written about this here:

Please remember it is also possible the device was formatted by the manufacturer. This may skew the results above.

Hope this helps.



Re: USB Forensic Analysis

Post Posted: Thu Mar 09, 2017 1:43 pm

Do you have any suspected machines?'

You can search for SIDs, geo metadata, images, Office Documents, file with credential metadata.  

Senior Member

Re: USB Forensic Analysis

Post Posted: Thu Mar 09, 2017 8:15 pm

Windows writes the instance id of used usb sticks to the registry.
To find the serial number of your own stick you can use usbdeview: www.nirsoft.net/utils/...view.html. Copy the "Instance ID" from your stick. (example: USB\VID_0951&PID_16A3\1C6F654CED39BE91A95F0123)

Usbdeview is portable and also shows the complete history of used usb devices, so you can take it to other pc's to check if your stick is used there.

If the stick is lost of stolen in a large corporation, and you want to know if somebody has used it, you can do a network scan with Softperfect Networkscanner: www.softperfect.com/pr...rkscanner/
This scanner is shareware, but note that this scanner was free until version 6.2.1, so if you can get this version you should be fine.
In Options --> Remote registry you can put the instance id and scan the whole network (you need admin rights to do this).


Remember that registry keys can be deleted, but is exceptional...
I have had success with this method! Good luck!
ICT Security Manager, CHFI, CEH, ECSA, Netherlands 


Page 1 of 1