USB Forensics – Reconstruction of Digital Evidence from USB Drive

Check out: Pdgmail Forensic Tool to Analysis Process Memory Dump.

FTK Imager:-.

Click the include button and select the appropriate type of image format E01.
Above figure illustrate Selected Image Type is E01.
Evidence Information.

Forensic Image:-.

Chosen source evidence is sensible Drive( USB).

Producing USB Image:-.

Digitial Forensics analysis of USB forensics include preservation, collection, Validation, Identification, Analysis, Interpretation, Documentation, and Presentation of digital evidence originated from digital sources for the function of enhancing the restoration or helping with of occasions discovered to be criminal.

Above figure reveals that Image of USB format of.E01 is in progress.
It will Take several minutes to hours to produce the image file.

Also Read Live Forensics Analysis with Computer Volatile Memory.

Click Top-Left green color button for including evidence to the panel and choose source evidence type.

Extract the Evidence:.

You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity updates likewise you can take the Best Cybersecurity courses online to keep your self-updated.

Select & & Create Disk image from File Menu.
Disk Image Format.

Broadening the evidence tree of USB Device will represent the general view of data erased in past.
Drill down even more to examine and examine the type of evidence deleted.

Disk Imaging– USB Forensics:-.

Digitial Evidence Analysis:-.

Inspect drop-down menu, up to here selected HP USB for Analysis.
Proof Tree data.

Above Figure illustrate some suspicious activities on USB drive most likely to be found.Antivirus, ilegal things and more folders are erased.
Deleted Files & & Folders Recovery:-.

Select the Destination path of USB file name C: UsersBalaganeshDesktopNew folder and Image file name is HP Thumb Drive.
Image Creation– USB Forensics.

A Disk Image is specified as a computer system file that consists of the contents and structure of a data storage device such as a tough drive, CD drive, phone, tablet, RAM, or USB.
The disk image consists of the real contents of the data storage gadget, in addition to the information essential to replicate the structure and content design of the device.
However Wide ranging of widely known tools is used according to the law court to perform the analysis.
Requirement tools are solely authorized based on law, Forensics examiners are prohibited to perform Imaging with Unknown Tools, New Tools.

Finally, we have actually recovered malicious Tor links in.onion in pdf format as evidence. Pleased Investigating!!
Note: In some cases, the extracted file might be empty, It reveals that new files have overwritten. In this situation, file characteristics will be proof.

Standard Tools: Encase Forensic Imager and its extension (Imagename.E01) Forensic Toolkit Imaging & & Analysis:
. Considering that Encase forensic software expense around $2,995.00–$ 3,594.00, So In this Imaging and analysis will be performed with FTK Forensic software application made by AccessData.
FTK Includes standalone disk imager is concise but simple Tool.

Its obligatory to include more information about USB type, Size, color & & more Identity of evidence.
Image location.

Click to view for clear imageAbove revealed figure is the panel of Access information FTK Imager.
Evidence Tree.

Warning: Its suggested not to work with original proof at the investigation, because mistakenly copying brand-new data to USB will overwrite the previous erased files in USB.The integrity of evidence will fail so constantly work with forensic Image copy.

Likewise Read Tracking Photos Geo-location with GPS EXIF DATA– Forensic Analysis.

Rational Drive.

Disconnect the USB proof and keep the original evidence safe and deal with forensic image constantly.
Above figure shows that forensic copy or image to be selected.Here Forensic image is HP.E01.

Here we have learnt, USB includes some thinking names of files in pdf format.