USB Forensics

I recently came across two very good articles about USB forensics.

The Hitchhiker’s Guide to USB Forensics was published at the Cyberforensicator site by Oleg Skulkin and Igor Mikhaylov.  It is a very well thought out an written description of how to find out by operating system analysis what files have been copied to a USB device.  They used a Windows 10 virtual machine and the Oxygen Forensics AXIOM tool to conduct a basic analysis.  They are locating evidence about what files have been copied or moved.

I was looking for references to how to investigate just the USB drive itself.  I found the SANS Computer Forensic Guide to profiling USB Thumbdrives on Win7, Vista, and XP. This is a blog post by Rob Lee dated September of 2009.  This was more in line with what I was looking for given I that one found the USB device and wanted to start treating it as evidence. Rob had written about the differences between analyzing USB thumb drives and drive enclosures.  There was much good info in both posts.