Tracing Forensic Artefacts from USB-Bound Computing Environments on Windows Hosts

  • Jan Collie

    Student thesis: Doctoral Thesis


    This thesis proposes that it is possible to extract and analyse artefacts of potential evidential interest from host systems where miniature computing environments have been run from USB connectable devices. The research focuses on Windows systems and includes a comparison of the results obtained following traditional 'static’ forensic data collection after conducting a range of user initiated activities. Four software products were evaluated during this research cycle, all of which could be used as anti-forensic tools - associated advertising claims that use of the software will either leave ‘no trace’ of user activity or no ‘personal data’ on a host system. It is shown that the USB-bound environments reviewed create numerous artefacts in both live and unallocated space on Windows hosts which will remain available to the digital forensic examiner after system halt. These include multiple references to identified software and related processes as well as user activity in Registry keys and elsewhere. Artefacts related to program use and data movements will also be retained in live memory (RAM) and it is recommended that this is captured and analysed.Where this is not possible, relevant information originally held in RAM may be written to disk on system shut down and hibernation, opening further opportunities to the analyst. This study builds on existing knowledge within digital forensic science and expands it in three ways. Firstly, it presents and explains a previously overlooked artefact which aids investigations involving the unauthorized use of both connected and connectable devices on Windows hosts. Secondly, it explores how portable virtualisation software interacts with host systems - a relatively unchartered field of enquiry. Finally, it informs research into anti-forensics by showing that, despite its ability to cover and wipe its tracks, portable virtualisation software does leave traces of user-related activity on host systems which can greatly assist a digital forensic enquiry. By means of the methodology set out in this thesis, it is possible to uncover these traces in RAM dumps and by conducting a targeted analysis of static hard drives.
    Date of AwardNov 2015
    Original languageEnglish

    Cite this