Exposing Vital Forensic Artifacts of USB Devices in the Windows 10 Registry

Abstract

Digital media devices are regularly seized pursuant to criminal investigations and Microsoft Windows is the most commonly encountered platform on seized computers. Microsoft recently released a technical preview build of their Windows 10 operating system which can run on computers, smart phones, tablets, and embedded devices. This work investigated the forensically valuable areas of the Windows 10 registry. The focus was on the Windows Registry hives affected when USB storage devices are connected to a laptop configured with Windows 10. Paths were identified that indicate the date/time of last insertion and removal of a thumb drive. Live monitoring and post-mortem forensic methodologies were used to map Registry paths containing USB identifiers such as make/model information, serial numbers and GUIDs. These identifiers were located in multiple paths in the allocated and unallocated space of the Registries analyzed.

Open PDF

Document Details

Document Type
Technical Report
Publication Date
Jun 01, 2015
Accession Number
ADA632484

Entities

People

  • Jason S. Shaver

Organizations

  • Naval Postgraduate School

Tags

Communities of Interest

  • Cyber
  • Materials and Manufacturing Processes

DTIC Thesaurus Topics

  • Artifacts
  • Computer Crime
  • Computer Programs
  • Computers
  • Computing Devices
  • Crime
  • Digital Media
  • Forensic Analysis
  • Graphical User Interface
  • Internet
  • Mobile Phones
  • Monitoring
  • Operating Systems
  • Security
  • Spreadsheet Software
  • Standards
  • Web Browsers

Readers

  • Agent-Based Social Robotics and Mobile-Assisted Learning in Virtual Environments.
  • Database Systems and Applications
  • Solar Photovoltaics and Thermoelectric Devices.

Technology Areas

  • Space