USB Forensic Tracker

USB Forensic Tracker

USB Forensic Tracker v1.1.3

USB Forensics – USB Forensic Tracker (USBFT) is a comprehensive forensic tool that extracts USB device connection artefacts from a range of locations within the live system, from mounted forensic images, from volume shadow copies, from extracted Windows system files and from both extracted Mac OSX and Linux system files. The extracted information from each location is displayed within its own table view. The information can be exported to an Excel file.

USBFT now has the ability to do the following:

• Mount forensic images and volume shadow copies.
• Display information about previously mounted TrueCrypt and VeraCrypt volumes.
• Display information about files accessed from USB devices and link the files to specific USB devices.

USBFT extracts information from the following locations:

• Windows
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR
  • HKEY_LOCAL_MACHINE\SYSTEM\MountedDevices
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceClasses
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\SWD\WPDBUSENUM
  • HKEY_USERS\SID\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Portable Devices
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Search\VolumeInfoCache
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ Windows NT\CurrentVersion\EMDMgmt
  • C:\Windows\System32\winevt\Logs\Microsoft-Windows-DriverFrameworks-UserMode%4Operational.evtx (Windows 7)
  • C:\Windows\System32\winevt\Logs\Microsoft-Windows-Storage-ClassPnP/Operational.evtx 
  • C:\Windows\System32\winevt\Logs\Microsoft-Windows-WPD-MTPClassDriver/Operational.evtx
  • C:\Windows\System32\winevt\Logs\Microsoft-Windows-Partition%4Diagnostic.evtx
  • C:\Windows\System32\winevt\Logs\Microsoft-Windows-Ntfs%4Operational.evtx
  • C:\Windows\INF\setupapi.dev.log
  • C:\Windows\INF\ setupapi.dev.yyyymmdd_hhmmss.log
  • C:\Windows\setupapi.log
  • “Windows.old” folder
  • Volume Shadow Copies
  • C:\Users\<user account>\AppData\Roaming\Microsoft\ Windows\ Recent\ <Lnk files>
• Mac OSX (tested on OSX 10.6.8 and 10.10.3)
  • /private/var/log/kernel.log
  • /private/var/log/kernel.log.incrementalnumber.bz2
  • /private/var/log/system.log
  • /private/var/log/system.log.incrementalnumber.gz
• Linux (tested on Ubuntu 17.04)
  • /var/log/syslog

Requirements

USBFT requires Net Framework 4.5 to be installed on the system.

A 32bit and 64 bit version of USB Forensic Tracker is included in the download. If you run the 32 bit version on a 64 bit machine, USBFT will not display the results for the Event Log artefacts or for HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Portable Devices.

From the “Help” menu the user can check for updates.

License

This utility is released as freeware. You are allowed to freely distribute this program via any method, as long as you don’t charge anything for this. If you distribute this utility, you must include all files in the distribution package, without any modification!

Icons by Everaldo Coelho from the Crystal project are used; these are released under the LGPL license.

Imager Mounter – a special thanks to Mark Spencer president of Arsenal Recon who has very kindly granted me permission to incorporate Arsenal Image Mounter (AIM) within USBFT.
https://arsenalrecon.com/weapons/image-mounter/

Disclaimer

The software is provided “AS IS” without any warranty, either expressed or implied, including, but not limited to, the implied warranties of merchantability and fitness for a particular purpose. The author will not be liable for any special, incidental, consequential or indirect damages due to loss of data or any other reason.