USB Forensics – Reconstruction of Digital Evidence from USB Drive

      No comments   

USB Forensics – Reconstruction of Digital Evidence from USB Drive

Digitial Forensics analysis of USB forensics include preservation, collection, Validation, Identification, Analysis, Interpretation, Documentation, and Presentation of digital evidence derived from digital sources for the purpose of facilitating or furthering the reconstruction of events found to be criminal.

Disk Imaging – USB Forensics:-

  • A Disk Image is defined as a computer file that contains the contents and structure of a data storage device such as a hard drive, CD drive, phone, tablet, RAM, or USB.
  • The disk image consists of the actual contents of the data storage device, as well as the information necessary to replicate the structure and content layout of the device.
  • However Wide ranging of well-known tools is used according to the court of law to perform the analysis.
  • Standard tools are solely authorized as per law, Forensics examiners are disallowed to perform Imaging with Unknown Tools, New Tools.
  • Standard Tools: Encase Forensic Imager and its extension (Imagename.E01)
    Forensic Toolkit Imaging & Analysis:
  • Since Encase forensic software cost around $2,995.00 – $3,594.00, So In this Imaging and analysis will be performed with FTK Forensic software made by AccessData.
  • FTK Includes standalone disk imager is simple but concise Tool.

Also Read :   Pdgmail Forensic Tool to Analysis Process Memory Dump

FTK Imager:-

Click to view for clear image
  • Above shown figure is the panel of Access data FTK Imager.

Evidence Tree

  • Click Top-Left green color button for adding evidence to the panel and select source evidence type.
  • Selected source evidence is logical Drive(USB).

Also Read   Live Forensics Analysis with Computer Volatile Memory

Logical Drive

  • Check drop-down menu, up to here selected HP USB for Analysis.

Evidence Tree data

USB Forensics
  • Expanding the evidence tree of USB Device will represent the overall view of data deleted in past.
  • Drill down further to check and investigate the type of evidence deleted.

Warning: Its recommended not to work with original evidence at the investigation, because accidentally copying new data to USB will overwrite the past deleted files in USB.The integrity of evidence will fail so always work with forensic Image copy.

Creating USB Image:-

  • Select & Create Disk image from File Menu.
USB Forensics

Disk Image Format

  • Click the add button and select the appropriate type of image format E01.
USB Forensics
  • Above figure illustrate Selected Image Type is E01.

Evidence Information

  • Its mandatory to add more information about USB type, Size, color & more Identity of evidence.
USB Forensics

Image destination

  • Select the Destination path of USB file name C:\Users\Balaganesh\Desktop\New folder and Image file name is HP Thumb Drive.
USB Forensics
USB Forensics

Image Creation – USB Forensics

USB Forensics
  • Above figure shows that Image of USB format of .E01 is in progress.
  • It will Take several minutes to hours to create the image file.

Forensic Image:-

  • Unplug the USB evidence and keep the original evidence safe and work with forensic image always.
USB Forensics
  • Above figure shows that forensic copy or image to be selected.Here Forensic image is HP.E01

Digitial Evidence Analysis:-

USB Forensics
  • Above Figure illustrate some suspicious activities on USB drive likely to be found.
    Antivirus,ilegal stuffs and more folders are deleted.

Deleted Files & Folders Recovery:-

Here we have found out, USB contains some suspecting names of files in pdf format.

USB Forensics

Extract the Evidence:
USB Forensics
  • Finally, we have recovered malicious Tor links in .onion in pdf format as evidence. Happy Investigating !!
EHA

Note: In some cases, the extracted file may be empty, It shows that new files have overwritten. In this scenario, file attributes will be evidence.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity updates also you can take the Best Cybersecurity courses online to keep your self-updated.

Also Read Tracking Photo’s Geo-location with GPS EXIF DATA – Forensic Analysis

Adblock test (Why?)


You may be interested in:
>> Is a Chromebook worth replacing a Windows laptop?
>> Find out in detail the outstanding features of Google Pixel 4a
>> Top 7 best earbuds you should not miss

Related Posts:
>> Recognizing 12 Basic Body Shapes To Choose Better Clothes
>>Ranking the 10 most used smart technology devices
>> Top 5+ Best E-readers: Compact & Convenient Pen

0 Comments:

Post a Comment