USB Forensics – Reconstruction of Digital Evidence from USB Drive ~ Linchakin

Digitial Forensics analysis of USB forensics include preservation, collection, Validation, Identification, Analysis, Interpretation, Documentation, and Presentation of digital evidence derived from digital sources for the purpose of facilitating or furthering the reconstruction of events found to be criminal.

Disk Imaging – USB Forensics:-

A Disk Image is defined as a computer file that contains the contents and structure of a data storage device such as a hard drive, CD drive, phone, tablet, RAM, or USB.
The disk image consists of the actual contents of the data storage device, as well as the information necessary to replicate the structure and content layout of the device.
However Wide ranging of well-known tools is used according to the court of law to perform the analysis.
Standard tools are solely authorized as per law, Forensics examiners are disallowed to perform Imaging with Unknown Tools, New Tools.
Standard Tools: Encase Forensic Imager and its extension (Imagename.E01)
Forensic Toolkit Imaging & Analysis:
Since Encase forensic software cost around $2,995.00 – $3,594.00, So In this Imaging and analysis will be performed with FTK Forensic software made by AccessData.
FTK Includes standalone disk imager is simple but concise Tool.

Also Read : Pdgmail Forensic Tool to Analysis Process Memory Dump

FTK Imager:-

Above shown figure is the panel of Access data FTK Imager.

Evidence Tree

Click Top-Left green color button for adding evidence to the panel and select source evidence type.
Selected source evidence is logical Drive(USB).

Also Read Live Forensics Analysis with Computer Volatile Memory

Logical Drive

Check drop-down menu, up to here selected HP USB for Analysis.

Evidence Tree data

Expanding the evidence tree of USB Device will represent the overall view of data deleted in past.
Drill down further to check and investigate the type of evidence deleted.

Warning: Its recommended not to work with original evidence at the investigation, because accidentally copying new data to USB will overwrite the past deleted files in USB.The integrity of evidence will fail so always work with forensic Image copy.

Creating USB Image:-

Select & Create Disk image from File Menu.

Disk Image Format

Click the add button and select the appropriate type of image format E01.

Above figure illustrate Selected Image Type is E01.

Evidence Information

Its mandatory to add more information about USB type, Size, color & more Identity of evidence.

Image destination

Select the Destination path of USB file name C:\Users\Balaganesh\Desktop\New folder and Image file name is HP Thumb Drive.

Image Creation – USB Forensics

Above figure shows that Image of USB format of .E01 is in progress.
It will Take several minutes to hours to create the image file.

Forensic Image:-

Unplug the USB evidence and keep the original evidence safe and work with forensic image always.

Above figure shows that forensic copy or image to be selected.Here Forensic image is HP.E01

Digitial Evidence Analysis:-

Above Figure illustrate some suspicious activities on USB drive likely to be found.
Antivirus,ilegal stuffs and more folders are deleted.

Deleted Files & Folders Recovery:-

Here we have found out, USB contains some suspecting names of files in pdf format.

Extract the Evidence:

Finally, we have recovered malicious Tor links in .onion in pdf format as evidence. Happy Investigating !!

Note: In some cases, the extracted file may be empty, It shows that new files have overwritten. In this scenario, file attributes will be evidence.

You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity updates also you can take the Best Cybersecurity courses online to keep your self-updated.

Also Read Tracking Photo’s Geo-location with GPS EXIF DATA – Forensic Analysis

Adblock test (Why?)