Arshad Ayesha, Iqbal Waseem, Abbas Haider
National University of Sciences and Technology (NUST), Islamabad, 44000, Pakistan.
Florida Institute of Technology (FIT), Melbourne, FL, 32901, USA.
J Forensic Sci. 2018 May;63(3):856-867. doi: 10.1111/1556-4029.13596. Epub 2017 Jul 18.
Significantly increased use of USB devices due to their user-friendliness and large storage capacities poses various threats for many users/companies in terms of data theft that becomes easier due to their efficient mobility. Investigations for such data theft activities would require gathering critical digital information capable of recovering digital forensics artifacts like date, time, and device information. This research gathers three sets of registry and logs data: first, before insertion; second, during insertion; and the third, after removal of a USB device. These sets are analyzed to gather evidentiary information from Registry and Windows Event log that helps in tracking a USB device. This research furthers the prior research on earlier versions of Microsoft Windows and compares it with latest Windows 10 system. Comparison of Windows 8 and Windows 10 does not show much difference except for new subkey under USB Key in registry. However, comparison of Windows 7 with latest version indicates significant variances.
由于USB设备用户友好且存储容量大,其使用量显著增加,这给许多用户/公司带来了各种威胁,因为其高效的移动性使得数据盗窃变得更加容易。对此类数据盗窃活动的调查需要收集关键的数字信息,以便能够恢复数字取证工件,如日期、时间和设备信息。本研究收集了三组注册表和日志数据:第一组是在插入USB设备之前;第二组是在插入过程中;第三组是在移除USB设备之后。对这些数据集进行分析,以从注册表和Windows事件日志中收集有助于追踪USB设备的证据信息。本研究进一步推进了对早期版本Microsoft Windows的先前研究,并将其与最新的Windows 10系统进行了比较。Windows 8和Windows 10的比较除了注册表中USB密钥下的新子键外,没有显示出太大差异。然而,Windows 7与最新版本的比较显示出显著差异。
