ArtiFast Forensics Investigation - USB Forensics

By

 



One of the critical forensic evidences to investigate in cases of insider threats or insider breaches is USB forensics. This allows us to determine which USB device . along with its vendor ID and product ID .was used to exfiltrate data from the organization's network.

There are several ways to conduct USB forensic analysis and identify hardware devices connected to a specific computer. In this discussion, we’ll focus on two methods.

The first method involves analyzing the Windows Registry, which does not require any additional tools. The second method uses the ArtiFast Lite version, or optionally the full ArtiFast Suite, which offers premium features for a more comprehensive analysis.


Traditional Method - Registry :


  • Registry Path : HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USB\
  • Registry Path : HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR
  • Registry Path : HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2
  • Registry Path : HKEY_LOCAL_MACHINE\SYSTEM\MountedDevices


As shown in the screenshot, the Registry only displays keys with specific VID and PID numbers. The VID represents the Vendor ID, and the PID represents the Product ID. These identifiers allow us to determine which USB device was connected to the target computer.

To look up the USB vendor based on the VID and PID, you can use the website: https://the-sz.com/products/usbid/



Example of a USB VID and PID: VID_0781&PID_5567

To use this platform, paste or type the VID_[ID] into the Vendor ID field and the PID_[ID] into the Product ID field. Then, click "Search" and leave the Name field empty.



Result is :



As you can see, the USB device connected to the computer is a SanDisk.

Professional Method - USB Forensics :

In our last blog, we discussed how to set up and conduct an investigation using the Artifast software. If your dumped memory image is ready, simply click the arrow in the OS Options sidebar on the left, then select "USB Forensics." You will then see the screen shown below:







Comments

Post a Comment