If you are a digital forensic examiner, you must know, that clients very often ask to find out, which sensitive files were copied to USB thumb drives by disgruntled employees before they left the company. There are a lot of articles and guides on USB forensics on the Web, but most of them dealing with the flash drives and not the computer used by the employee. It seems quite strange to us as usually you have the computer’s drive or an image if the computer’s drive. So we have decided to write a USB forensics guide, which shows what to do if you have only computer’s image, and not the image of the USB thumb drive used for copying sensitive data.
First, we created a Windows 10 virtual machine using Oracle Virtual Box. After we created three files with Windows Wordpad on the Desktop: Secrets.rtf, Confidential.rtf and Clients.rtf. We connected a USB thumb drive to our virtual machine, copied these files, and checked if they were copied correctly by opening them. Finally, we performed a normal shut down operation.
We used VDI file and Magnet AXIOM for its forensic examination. Thankfully, AXIOM supports these virtual machine files. For example, FTK Imager doesn’t display VDI contents correctly.
For testing purposes, we processed our VDI file with default settings. We are interested in operating system artifacts, so let’s go straight to corresponding category.
Figure 1. Operating system artifacts extracted by Magnet AXIOM
Let’s start from identifying connected USB thumb drives. As you can see on figure 1, AXIOM already extracted this information from Windows registry for us.
Figure 2. USB devices list extracted by Magnet AXIOM
We have only one interesting device (highlighted), let’s check artifact details – look at figure 3.
Figure 3. Interesting USB device details
So, suspicious device was last connected on 9/8/2017 at 8:52:57 AM (UTC), was assigned “E” drive letter and had 58E3D488 as volume serial number. Let’s go further and identify the files copied to this flash drive.
Let’s start from the Jump Lists. According to Magnet Artifacts Reference Guide, Jump lists are “quick lists of recent applications or files that a user launched”. We have filtered Linked Path column with “E:” keyword and got six artifacts, you can see them on figure 4.
Figure 4. Relevant Jump Lists artifacts
As you can see, now we have the evidence, that our sensitive files were transferred to an external drive with “E” letter assigned. But is it really that USB thumb drive? Yes! Look at the volume serial number, it matches the one extracted from USB devices artifacts!
But that’s not all! There are more artifacts! Now look at LNK files, we also filtered Linked Path column with “E:” keyword. Now we have 14 artifacts, let’s look at the details of one of them.
Figure 5. Information extracted from Secrets.lnk by Magnet AXIOM
Again, we see, that Secrets.rtf was copied to a flash drive with “E” drive letter and 58E3D488 volume serial number. Also, we see the date and time it was copied – 9/8/2017 8:53:24 AM (UTC).
As you can see, we can find digital evidence of sensitive data being copied to a USB thumb drive even without examination of this drive. Of course, it’s not always possible and depends on employee’s habits, but nevertheless, you should always try.