The notion that we can determine what USB devices have ever been attached to a system even though the devices are no longer present, is astonishing to the uninitiated. Remember that usually, USB investigation is happening in the complete absence of any of the USB devices being investigated. When the many, disparate breadcrumbs of usage are pulled together in a coherent assemblage of user activity, the results can be shocking in their clarity. The difficulty comes in attempting to make sense of all this data. Thank you to Daniel Dickerman and Chad Tilbury for initially sending me down this rabbit hole!Įvidence surrounding the use of USB devices is an often sought-after forensic treasure trove, due to its verbosity in the operating system, as well as the Windows Registry. Immediately apply the skills and techniques learned in SANS courses, ranges, and summits
0 Comments
Leave a Reply. |