Portable Storage Forensics: enhancing the value of USB device analysis and reporting

摘要

USB based memory storage devices are an easy means of collecting and storing both legitimate and unlawful data. Due to their storage capacity and popularity of use, USB storage devices provide an important source of evidence to both law enforcement and corporate investigations. Digital forensic practitioners are frequently called upon to preserve, analyse, and report USB devices’ past connectivity history on Windows® based computer systems. Existing research and forensic analysis techniques have largely focused on USB artifacts related to the Windows® XP operating system. The release of the Windows® 7 operating system has created new avenues of USB artifact discovery for the digital forensics practitioner. Existing USB and related forensic software tools are plentiful; however, their source code and validation methods are rarely released for public or legal scrutiny. Likewise, there have been no published systematic toolset evaluations of the capabilities and functionality of existing toolsets related to USB device forensics. Consequently practitioners are limited in making the best toolset choices for their analysis needs. The problem area is USB memory storage device forensics. The purpose of this research was to provide a formal toolset evaluation of existing USB device analysis tools, and to develop a working prototype tool for use in future digital forensic examinations. A set of evaluation criteria was developed in order to identify gaps in existing tools’ functionality and reporting standards. The toolset evaluations found each of the tool samples had limitations in forensic functionality or reporting of USB storage devices. A Gap analysis identified three potential areas of improvement in analysis and reporting performance within the sample toolset. These gaps provided sufficient scope for the development of a new software reporting tool in order to add value to and enhance modern USB based forensic recovery techniques. A working prototype tool named USBForensicReporter© was specifically created as part of the research to support Windows® 7-based USB forensic examinations. The USBForensicReporter© tool provides both accurate and in-depth reporting of USB artifacts. The tool’s design has a unique physical USB device to evidence set comparative analysis method for associating USB storage devices to collected Windows® operating system and registry artifacts. None of evaluated sample tools had this level of comparative analysis whilst employing a single tool interface. In summary, the software development process was found to add examination value to the discipline of USB based memory device forensics. The developed prototype tool enhanced existing tool functions and providing new comparison analysis and reporting methods for digital forensic practitioners to utilise in the field. Recommendations for future research include releasing a final production version of the prototype software, developing additional tool support for older Windows® operating systems such as Windows® XP, and the anticipated release of the next version, Windows® 8. The toolset benchmarking process also has the potential to be expanded to include a greater range of USB forensic tools for digital forensic practitioners to evaluate.