USB Forensics – Reconstruction of Digital Evidence from USB Drive

Digital Forensics analysis of USB forensics includes preservation, collection, Validation, Identification, Analysis, Interpretation, Documentation, and Presentation of digital evidence derived from digital sources for the purpose of facilitating or furthering the reconstruction of events found to be criminal.

Disk Imaging – USB Forensics:-

• A Disk Image is defined as a computer file that contains the contents and structure of a data storage device such as a hard drive, CD drive, phone, tablet, RAM, or USB.
• The disk image consists of the actual contents of the data storage device, as well as the information necessary to replicate the structure and content layout of the device.
• However Wide range of well-known tools is used according to the court of law to perform the analysis.
• Standard tools are solely authorized as per law, Forensics examiners are disallowed to perform Imaging with Unknown Tools, New Tools.
• Standard Tools: Encase Forensic Imager and its extension (Imagename.E01)
  Forensic Toolkit Imaging & Analysis:
• Since Encase forensic software costs around $2,995.00 – $3,594.00, So In this Imaging and analysis will be performed with FTK Forensic software made by AccessData.
• FTK Includes a standalone disk imager is a simple but concise Tool.

Also Read   Pdgmail Forensic Tool to Analysis Process Memory Dump

FTK Imager:-

• The above-shown figure is the panel of Access data FTK Imager.

Evidence Tree

• Click the Top-Left green color button for adding evidence to the panel and select the source evidence type.
• Selected source evidence is a logical Drive(USB).

Also Read   Live Forensics Analysis with Computer Volatile Memory

Logical Drive

• Check the drop-down menu, up to here selected HP USB for Analysis.

Evidence Tree data

• Expanding the evidence tree of the USB Devices will represent the overall view of data deleted in the past.
• Drill down further to check and investigate the type of evidence deleted.

Warning: It’s recommended not to work with original evidence at the investigation because accidentally copying new data to USB will overwrite the past deleted files in USB. The integrity of evidence will fail so always work with forensic Image copy.

Creating USB Image:-

• Select & Create a Disk image from File Menu.

Disk Image Format

• Click the add button and select the appropriate type of image format E01.

• The above figure illustrates Selected Image Type is E01.

Evidence Information

• It’s mandatory to add more information about USB type, Size, color & more Identity of evidence.

Image destination

• Select the Destination path of the USB file name C:\Users\Balaganesh\Desktop\New folder and the Image file name is HP Thumb Drive.

Image Creation – USB Forensics

• The above figure shows that the Image of the USB format of .E01 is in progress.
• It will take several minutes to hours to create the image file.

Forensic Image:-

• Unplug the USB evidence and keep the original evidence safe and work with the forensic image always.

• The above figure shows that a forensic copy or image is to be selected. Here Forensic image is HP.E01

Digital Evidence Analysis:-

• The above Figure illustrates some suspicious activities on USB drives likely to be found.
  Antivirus, illegal stuff, and more folders are deleted.

Deleted Files & Folders Recovery:-

Here we have found out, USB contains some suspecting names of files in pdf format.

Extract the Evidence:

• Finally, we have recovered malicious Tor links in .onion in pdf format as evidence. Happy Investigating !!

Note: In some cases, the extracted file may be empty, It shows that new files have been overwritten. In this scenario, file attributes will be evidence.

You can follow us on Linkedin, Twitter, and Facebook for daily Cybersecurity updates also you can take the Best Cybersecurity courses online to keep yourself self-updated.

Also Read Tracking Photo’s Geo-location with GPS EXIF DATA – Forensic Analysis