Exposing vital forensic artifacts of USB devices in the Windows 10 registry
Approved for public release; distribution is unlimited === Digital media devices are regularly seized pursuant to criminal investigations and Microsoft Windows is the most commonly encountered platform on seized computers. Microsoft recently released a technical preview build of their Windows 10 ope...
| Main Author: | |
|---|---|
| Other Authors: | |
| Published: |
Monterey, California: Naval Postgraduate School
2015
|
| Online Access: | http://hdl.handle.net/10945/45940 |
| id |
ndltd-nps.edu-oai-calhoun.nps.edu-10945-45940 |
|---|---|
| record_format |
oai_dc |
| spelling |
ndltd-nps.edu-oai-calhoun.nps.edu-10945-459402015-08-07T04:15:11Z Exposing vital forensic artifacts of USB devices in the Windows 10 registry Shaver, Jason S. Rowe, Neil McCarrin, Michael Cyber Academic Group Approved for public release; distribution is unlimited Digital media devices are regularly seized pursuant to criminal investigations and Microsoft Windows is the most commonly encountered platform on seized computers. Microsoft recently released a technical preview build of their Windows 10 operating system which can run on computers, smart phones, tablets, and embedded devices. This work investigated the forensically valuable areas of the Windows 10 registry. The focus was on the Windows Registry hives affected when USB storage devices are connected to a laptop configured with Windows 10. Paths were identified that indicate the date/time of last insertion and removal of a thumb drive. Live monitoring and post-mortem forensic methodologies were used to map Registry paths containing USB identifiers such as make/model information, serial numbers and GUIDs. These identifiers were located in multiple paths in the allocated and unallocated space of the Registries analyzed. 2015-08-05T23:06:04Z 2015-08-05T23:06:04Z 2015-06 Thesis http://hdl.handle.net/10945/45940 This publication is a work of the U.S. Government as defined in Title 17, United States Code, Section 101. Copyright protection is not available for this work in the United States. Monterey, California: Naval Postgraduate School |
| collection |
NDLTD |
| sources |
NDLTD |
| description |
Approved for public release; distribution is unlimited === Digital media devices are regularly seized pursuant to criminal investigations and Microsoft Windows is the most commonly encountered platform on seized computers. Microsoft recently released a technical preview build of their Windows 10 operating system which can run on computers, smart phones, tablets, and embedded devices. This work investigated the forensically valuable areas of the Windows 10 registry. The focus was on the Windows Registry hives affected when USB storage devices are connected to a laptop configured with Windows 10. Paths were identified that indicate the date/time of last insertion and removal of a thumb drive. Live monitoring and post-mortem forensic methodologies were used to map Registry paths containing USB identifiers such as make/model information, serial numbers and GUIDs. These identifiers were located in multiple paths in the allocated and unallocated space of the Registries analyzed. |
| author2 |
Rowe, Neil |
| author_facet |
Rowe, Neil Shaver, Jason S. |
| author |
Shaver, Jason S. |
| spellingShingle |
Shaver, Jason S. Exposing vital forensic artifacts of USB devices in the Windows 10 registry |
| author_sort |
Shaver, Jason S. |
| title |
Exposing vital forensic artifacts of USB devices in the Windows 10 registry |
| title_short |
Exposing vital forensic artifacts of USB devices in the Windows 10 registry |
| title_full |
Exposing vital forensic artifacts of USB devices in the Windows 10 registry |
| title_fullStr |
Exposing vital forensic artifacts of USB devices in the Windows 10 registry |
| title_full_unstemmed |
Exposing vital forensic artifacts of USB devices in the Windows 10 registry |
| title_sort |
exposing vital forensic artifacts of usb devices in the windows 10 registry |
| publisher |
Monterey, California: Naval Postgraduate School |
| publishDate |
2015 |
| url |
http://hdl.handle.net/10945/45940 |
| work_keys_str_mv |
AT shaverjasons exposingvitalforensicartifactsofusbdevicesinthewindows10registry |
| _version_ |
1716816438382034944 |