Exposing vital forensic artifacts of USB devices in the Windows 10 registry
Shaver, Jason S.
MetadataShow full item record
Digital media devices are regularly seized pursuant to criminal investigations and Microsoft Windows is the most commonly encountered platform on seized computers. Microsoft recently released a technical preview build of their Windows 10 operating system which can run on computers, smart phones, tablets, and embedded devices. This work investigated the forensically valuable areas of the Windows 10 registry. The focus was on the Windows Registry hives affected when USB storage devices are connected to a laptop configured with Windows 10. Paths were identified that indicate the date/time of last insertion and removal of a thumb drive. Live monitoring and post-mortem forensic methodologies were used to map Registry paths containing USB identifiers such as make/model information, serial numbers and GUIDs. These identifiers were located in multiple paths in the allocated and unallocated space of the Registries analyzed.
Approved for public release; distribution is unlimited
Showing items related by title, author, creator and subject.
Pereira, Barbara A. (2001-06);In the past few years, mobile handheld devices have emerged as an exciting new tool for accomplishing everyday tasks. Devices with the Windows CE operating system provide flexibility for the designer in the form of ...
Kerdsri, Jiradett (Monterey, California. Naval Postgraduate School, 2003-03);Simple Network Management Protocol (SNMP) allows users of network equipment (i.e. Network Administrators) to remotely query the state of any device being tested for system load, utilization and configuration. Windows NT, ...
Burns, Titus R. (Monterey, California. Naval Postgraduate School, 2001-09);Windows CE 3.0, also known as Pocket PC for palm-sized devices, is becoming increasingly popular among professionals and corporate enterprises. It is estimated that by 2004 Windows CE will have a share of 40% of the ...