Saturday, December 2, 2023

USB Forensics – Reconstruction of Digital Evidence from USB Drive

Digital Forensics analysis of USB forensics includes preservation, collection, Validation, Identification, Analysis, Interpretation, Documentation, and Presentation of digital evidence derived from digital sources for the purpose of facilitating or furthering the reconstruction of events found to be criminal.

Disk Imaging – USB Forensics:-

  • A Disk Image is defined as a computer file that contains the contents and structure of a data storage device such as a hard drive, CD drive, phone, tablet, RAM, or USB.
  • The disk image consists of the actual contents of the data storage device, as well as the information necessary to replicate the structure and content layout of the device.
  • However Wide range of well-known tools is used according to the court of law to perform the analysis.
  • Standard tools are solely authorized as per law, Forensics examiners are disallowed to perform Imaging with Unknown Tools, New Tools.
  • Standard Tools: Encase Forensic Imager and its extension (Imagename.E01)
    Forensic Toolkit Imaging & Analysis:
  • Since Encase forensic software costs around $2,995.00 – $3,594.00, So In this Imaging and analysis will be performed with FTK Forensic software made by AccessData.
  • FTK Includes a standalone disk imager is a simple but concise Tool.

Also Read   Pdgmail Forensic Tool to Analysis Process Memory Dump

FTK Imager:-

Click to view for clear image
  • The above-shown figure is the panel of Access data FTK Imager.

Evidence Tree

  • Click the Top-Left green color button for adding evidence to the panel and select the source evidence type.
  • Selected source evidence is a logical Drive(USB).

Also Read   Live Forensics Analysis with Computer Volatile Memory

Logical Drive

  • Check the drop-down menu, up to here selected HP USB for Analysis.

Evidence Tree data

USB Forensics
  • Expanding the evidence tree of the USB Devices will represent the overall view of data deleted in the past.
  • Drill down further to check and investigate the type of evidence deleted.

Warning: It’s recommended not to work with original evidence at the investigation because accidentally copying new data to USB will overwrite the past deleted files in USB. The integrity of evidence will fail so always work with forensic Image copy.

Creating USB Image:-

  • Select & Create a Disk image from File Menu.
USB Forensics

Disk Image Format

  • Click the add button and select the appropriate type of image format E01.
USB Forensics
  • The above figure illustrates Selected Image Type is E01.

Evidence Information

  • It’s mandatory to add more information about USB type, Size, color & more Identity of evidence.
USB Forensics

Image destination

  • Select the Destination path of the USB file name C:\Users\Balaganesh\Desktop\New folder and the Image file name is HP Thumb Drive.
USB Forensics
USB Forensics

Image Creation – USB Forensics

USB Forensics
  • The above figure shows that the Image of the USB format of .E01 is in progress.
  • It will take several minutes to hours to create the image file.

Forensic Image:-

  • Unplug the USB evidence and keep the original evidence safe and work with the forensic image always.
USB Forensics
  • The above figure shows that a forensic copy or image is to be selected. Here Forensic image is HP.E01

Digital Evidence Analysis:-

USB Forensics
  • The above Figure illustrates some suspicious activities on USB drives likely to be found.
    Antivirus, illegal stuff, and more folders are deleted.

Deleted Files & Folders Recovery:-

Here we have found out, USB contains some suspecting names of files in pdf format.

USB Forensics

Extract the Evidence:

USB Forensics
  • Finally, we have recovered malicious Tor links in .onion in pdf format as evidence. Happy Investigating !!

Note: In some cases, the extracted file may be empty, It shows that new files have been overwritten. In this scenario, file attributes will be evidence.

You can follow us on LinkedinTwitter, and Facebook for daily Cybersecurity updates also you can take the Best Cybersecurity courses online to keep yourself self-updated.

Also Read Tracking Photo’s Geo-location with GPS EXIF DATA – Forensic Analysis


Latest articles

Active Attacks Targeting Google Chrome & ownCloud Flaws: CISA Warns

The CISA announced two known exploited vulnerabilities active attacks targeting Google Chrome & own...

Cactus Ransomware Exploiting Qlik Sense code execution Vulnerability

A new Cactus Ransomware was exploited in the code execution vulnerability to Qlik Sense...

Hackers Bypass Antivirus with ScrubCrypt Tool to Install RedLine Malware

The ScrubCrypt obfuscation tool has been discovered to be utilized in attacks to disseminate the RedLine Stealer...

Hotel’s Hacked Logins Let Attacker Steal Guest Credit Cards

According to a recent report by Secureworks, a well-planned and advanced phishing attack was...

Critical Zoom Vulnerability Let Attackers Take Over Meetings

Zoom, the most widely used video conferencing platform has been discovered with a critical...

Hackers Using Weaponized Invoice to Deliver LUMMA Malware

Hackers use weaponized invoices to exploit trust in financial transactions, embedding malware or malicious...

US-Seized Crypto Currency Mixer Used by North Korean Lazarus Hackers

The U.S. Treasury Department sanctioned the famous cryptocurrency mixer Sinbad after it was claimed...

API Attack Simulation Webinar

Live API Attack Simulation

In the upcoming webinar, Karthik Krishnamoorthy, CTO and Vivek Gopalan, VP of Products at Indusface demonstrate how APIs could be hacked.The session will cover:an exploit of OWASP API Top 10 vulnerability, a brute force account take-over (ATO) attack on API, a DDoS attack on an API, how a WAAP could bolster security over an API gateway

Related Articles