ccsi 330 week 5 lab

WEEK 5: LAB OVERVIEW

Table of Contents

Viewing USB History in Windows

Objective

Whether examiner working an intellectual property theft, or a law enforcement investigator searching for illicit images, most forensic examiners will investigate the USB device history of a computer.

Steps

1. Launch a Command Prompt as administrator.

2. Use the following statement to store information in the registry about every USB device plugged into the computer in a file named "usb.txt".

reg query hklm\system\currentcontrolset\enum\usbstor /s > usb.txt

3. Use Notepad to open the "usb.txt" file.

4. Open a PowerShell window and use the following statement to see which kind of USB have been connected with the computer.

Get-ChildItem HKLM:\SYSTEM\ControlSet001\Enum\USBSTOR | Select-Object PSChildname

5. In the PowerShell window, use the following statement to obtain a more readable version of the above outputs.

Get-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Enum\USBSTOR\*\*' | Select FriendlyName

Deliverable

In a paper, describe the results from the steps above. Describe how you might collect possible digital evidence from USB history during an investigation.

Please remember to submit your paper.