When I started working on Windows 8 USB drive forensics, I assumed it would be pretty similar to Windows 7. I created a fresh Windows 8 VM and plugged a thumb drive into my local system. Like normal, the VM recognized it as it should. At this point I shut the VM down and opened it in EnCase to examine what happened. All of the findings were similar to Windows 7 USB forensics, and much like the recycle bin, proved nothing exciting. Here are the results:
Mounted devices tab:
System\currentcontrol\enum\usbstor:
Setupapi.dev.log:
Software\microsoft\windows portable devices\devices – friendly name link:
These keys are all the same as Windows 7, therefore it should be smooth sailing to continue producing USB activity results.
I am very happy to read your post and I would like to take more important information like this Windows 8 News, Apps, Tips, etc. Windows 8 Post. To know more please click bellow link.
ReplyDeleteWindows 8 post