Tuesday, April 29, 2025
HomeForensics ToolsUSB Forensics - Reconstruction of Digital Evidence from USB Drive

USB Forensics – Reconstruction of Digital Evidence from USB Drive

Published on

SIEM as a Service

Follow Us on Google News

Digital Forensics analysis of USB forensics includes preservation, collection, Validation, Identification, Analysis, Interpretation, Documentation, and Presentation of digital evidence derived from digital sources for the purpose of facilitating or furthering the reconstruction of events found to be criminal.

Disk Imaging – USB Forensics:-

  • A Disk Image is defined as a computer file that contains the contents and structure of a data storage device such as a hard drive, CD drive, phone, tablet, RAM, or USB.
  • The disk image consists of the actual contents of the data storage device, as well as the information necessary to replicate the structure and content layout of the device.
  • However Wide range of well-known tools is used according to the court of law to perform the analysis.
  • Standard tools are solely authorized as per law, Forensics examiners are disallowed to perform Imaging with Unknown Tools, New Tools.
  • Standard Tools: Encase Forensic Imager and its extension (Imagename.E01)
    Forensic Toolkit Imaging & Analysis:
  • Since Encase forensic software costs around $2,995.00 – $3,594.00, So In this Imaging and analysis will be performed with FTK Forensic software made by AccessData.
  • FTK Includes a standalone disk imager is a simple but concise Tool.

Also Read   Pdgmail Forensic Tool to Analysis Process Memory Dump

FTK Imager:-

Click to view for clear image
  • The above-shown figure is the panel of Access data FTK Imager.

Evidence Tree

  • Click the Top-Left green color button for adding evidence to the panel and select the source evidence type.
  • Selected source evidence is a logical Drive(USB).

Also Read   Live Forensics Analysis with Computer Volatile Memory

Logical Drive

  • Check the drop-down menu, up to here selected HP USB for Analysis.

Evidence Tree data

USB Forensics
  • Expanding the evidence tree of the USB Devices will represent the overall view of data deleted in the past.
  • Drill down further to check and investigate the type of evidence deleted.

Warning: It’s recommended not to work with original evidence at the investigation because accidentally copying new data to USB will overwrite the past deleted files in USB. The integrity of evidence will fail so always work with forensic Image copy.

Creating USB Image:-

  • Select & Create a Disk image from File Menu.
USB Forensics

Disk Image Format

  • Click the add button and select the appropriate type of image format E01.
USB Forensics
  • The above figure illustrates Selected Image Type is E01.

Evidence Information

  • It’s mandatory to add more information about USB type, Size, color & more Identity of evidence.
USB Forensics

Image destination

  • Select the Destination path of the USB file name C:\Users\Balaganesh\Desktop\New folder and the Image file name is HP Thumb Drive.
USB Forensics
USB Forensics

Image Creation – USB Forensics

USB Forensics
  • The above figure shows that the Image of the USB format of .E01 is in progress.
  • It will take several minutes to hours to create the image file.

Forensic Image:-

  • Unplug the USB evidence and keep the original evidence safe and work with the forensic image always.
USB Forensics
  • The above figure shows that a forensic copy or image is to be selected. Here Forensic image is HP.E01

Digital Evidence Analysis:-

USB Forensics
  • The above Figure illustrates some suspicious activities on USB drives likely to be found.
    Antivirus, illegal stuff, and more folders are deleted.

Deleted Files & Folders Recovery:-

Here we have found out, USB contains some suspecting names of files in pdf format.

- Advertisement - Google News

USB Forensics

Extract the Evidence:

USB Forensics
  • Finally, we have recovered malicious Tor links in .onion in pdf format as evidence. Happy Investigating !!

Note: In some cases, the extracted file may be empty, It shows that new files have been overwritten. In this scenario, file attributes will be evidence.

You can follow us on LinkedinTwitter, and Facebook for daily Cybersecurity updates also you can take the Best Cybersecurity courses online to keep yourself self-updated.

Also Read Tracking Photo’s Geo-location with GPS EXIF DATA – Forensic Analysis

Latest articles

Critical Linux Kernel Flaw (CVE-2025-21756) Allows Privilege Escalation

A newly disclosed vulnerability in the Linux kernel, tracked as CVE-2025-21756 and dubbed “Attack of the...

Massive Attack: 4,800+ IPs Used to Target Git Configuration Files

A recent surge in cyber reconnaissance has put thousands of organizations at risk after...

CISA Adds Broadcom Brocade Fabric OS Flaw to Known Exploited Vulnerabilities List

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent security advisory...

CISA Issues Warning on Commvault Web Server Flaw Exploited in the Wild

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent alert concerning...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

How To Use Digital Forensics To Strengthen Your Organization’s Cybersecurity Posture

Digital forensics has become a cornerstone of modern cybersecurity strategies, moving beyond its traditional...

Best SIEM Tools List For SOC Team – 2025

The Best SIEM tools for you will depend on your specific requirements, budget, and...

Live Forensic Techniques To Detect Ransomware Infection On Linux Machines

Ransomware, initially a Windows threat, now targets Linux systems, endangering IoT ecosystems. Linux ransomware...