{"id":256,"date":"2023-03-23T10:08:01","date_gmt":"2023-03-23T10:08:01","guid":{"rendered":"https:\/\/e5hforensics.com\/?page_id=256"},"modified":"2023-11-19T18:21:50","modified_gmt":"2023-11-19T18:21:50","slug":"usb-forensic-tracker","status":"publish","type":"page","link":"https:\/\/e5hforensics.com\/index.php\/downloads\/software\/usb-forensic-tracker\/","title":{"rendered":"USB Forensic Tracker"},"content":{"rendered":"\n<h2 class=\"wp-block-heading has-zeever-secondary-color has-text-color\">USB Forensic Tracker<\/h2>\n\n\n\n\n\n\n\n<p><strong>USB Forensic Tracker v1.1.3<\/strong><\/p>\n\n\n\n<p>USB Forensics &#8211; USB Forensic Tracker (USBFT) is a comprehensive forensic tool that extracts USB device connection artefacts from a range of locations within the live system, from mounted forensic images, from volume shadow copies, from extracted Windows system files and from both extracted Mac OSX and Linux system files. The extracted information from each location is displayed within its own table view. The information can be exported to an Excel file.<\/p>\n\n\n\n<p>USBFT now has the ability to do the following: <\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Mount forensic images and volume shadow copies.<\/li>\n\n\n\n<li>Display information about previously mounted TrueCrypt and VeraCrypt volumes.<\/li>\n\n\n\n<li>Display information about files accessed from USB devices and link the files to specific USB devices.<\/li>\n<\/ul>\n\n\n\n<p>USBFT extracts information from the following locations:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Windows<\/strong>\n<ul class=\"wp-block-list\">\n<li>HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Enum\\USBSTOR<\/li>\n\n\n\n<li>HKEY_LOCAL_MACHINE\\SYSTEM\\MountedDevices<\/li>\n\n\n\n<li>HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\DeviceClasses<\/li>\n\n\n\n<li>HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Enum\\SWD\\WPDBUSENUM<\/li>\n\n\n\n<li>HKEY_USERS\\SID\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2<\/li>\n\n\n\n<li>HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList<\/li>\n\n\n\n<li>HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows Portable Devices<\/li>\n\n\n\n<li>HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows Search\\VolumeInfoCache<\/li>\n\n\n\n<li>HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\ Windows NT\\CurrentVersion\\EMDMgmt<\/li>\n\n\n\n<li>C:\\Windows\\System32\\winevt\\Logs\\Microsoft-Windows-DriverFrameworks-UserMode%4Operational.evtx (Windows 7)<\/li>\n\n\n\n<li>C:\\Windows\\System32\\winevt\\Logs\\Microsoft-Windows-Storage-ClassPnP\/Operational.evtx&nbsp;<\/li>\n\n\n\n<li>C:\\Windows\\System32\\winevt\\Logs\\Microsoft-Windows-WPD-MTPClassDriver\/Operational.evtx<\/li>\n\n\n\n<li>C:\\Windows\\System32\\winevt\\Logs\\Microsoft-Windows-Partition%4Diagnostic.evtx<\/li>\n\n\n\n<li>C:\\Windows\\System32\\winevt\\Logs\\Microsoft-Windows-Ntfs%4Operational.evtx<\/li>\n\n\n\n<li>C:\\Windows\\INF\\setupapi.dev.log<\/li>\n\n\n\n<li>C:\\Windows\\INF\\ setupapi.dev.yyyymmdd_hhmmss.log<\/li>\n\n\n\n<li>C:\\Windows\\setupapi.log<\/li>\n\n\n\n<li>\u201cWindows.old\u201d folder<\/li>\n\n\n\n<li>Volume Shadow Copies<\/li>\n\n\n\n<li>C:\\Users\\&lt;user account&gt;\\AppData\\Roaming\\Microsoft\\ Windows\\ Recent\\ &lt;Lnk files&gt;<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li><strong>Mac OSX (tested on OSX 10.6.8 and 10.10.3)<\/strong>\n<ul class=\"wp-block-list\">\n<li>\/private\/var\/log\/kernel.log<\/li>\n\n\n\n<li>\/private\/var\/log\/kernel.log.incrementalnumber.bz2<\/li>\n\n\n\n<li>\/private\/var\/log\/system.log<\/li>\n\n\n\n<li>\/private\/var\/log\/system.log.incrementalnumber.gz<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li><strong>Linux (tested on Ubuntu 17.04)<\/strong>\n<ul class=\"wp-block-list\">\n<li>\/var\/log\/syslog<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<p><strong>Requirements<\/strong><\/p>\n\n\n\n<p>USBFT requires Net Framework 4.5 to be installed on the system.<\/p>\n\n\n\n<p>A 32bit and 64 bit version of USB Forensic Tracker is included in the download. If you run the 32 bit version on a 64 bit machine, USBFT will not display the results for the Event Log artefacts or for HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows Portable Devices.<\/p>\n\n\n\n<p>From the \u201cHelp\u201d menu the user can check for updates.<\/p>\n\n\n\n<p><strong>License<\/strong><\/p>\n\n\n\n<p>This utility is released as freeware. You are allowed to freely distribute this program via any method, as long as you don\u2019t charge anything for this. If you distribute this utility, you must include all files in the distribution package, without any modification!<\/p>\n\n\n\n<p>Icons by&nbsp;<a href=\"http:\/\/www.everaldo.com\/\">Everaldo Coelho<\/a>&nbsp;from the Crystal project are used; these are released under the&nbsp;<a href=\"http:\/\/www.gnu.org\/licenses\/lgpl.html\">LGPL license<\/a>.<\/p>\n\n\n\n<p>Imager Mounter \u2013 a special thanks to Mark Spencer president of Arsenal Recon who has very kindly granted me permission to incorporate Arsenal Image Mounter (AIM) within USBFT.<br><a href=\"https:\/\/arsenalrecon.com\/weapons\/image-mounter\/\">https:\/\/arsenalrecon.com\/weapons\/image-mounter\/<\/a><\/p>\n\n\n\n<p><strong>Disclaimer<\/strong><\/p>\n\n\n\n<p>The software is provided \u201cAS IS\u201d without any warranty, either expressed or implied, including, but not limited to, the implied warranties of merchantability and fitness for a particular purpose. The author will not be liable for any special, incidental, consequential or indirect damages due to loss of data or any other reason.<\/p>\n\n\n\n\n","protected":false},"excerpt":{"rendered":"<p>USB Forensic Tracker USB Forensic Tracker v1.1.3 USB Forensics &#8211; USB Forensic Tracker (USBFT) is a comprehensive forensic tool that extracts USB device connection artefacts from a range of locations within the live system, from mounted forensic images, from volume shadow copies, from extracted Windows system files and from both extracted Mac OSX and Linux system files. The extracted information from each location is displayed within its own table view. The information can be exported to an Excel file. USBFT now has the ability to do the following: USBFT extracts information from the following locations: Requirements USBFT requires Net Framework<\/p>\n","protected":false},"author":2,"featured_media":0,"parent":208,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"om_disable_all_campaigns":false,"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"_uf_show_specific_survey":0,"_uf_disable_surveys":false,"footnotes":""},"class_list":["post-256","page","type-page","status-publish","hentry"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/e5hforensics.com\/index.php\/wp-json\/wp\/v2\/pages\/256","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/e5hforensics.com\/index.php\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/e5hforensics.com\/index.php\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/e5hforensics.com\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/e5hforensics.com\/index.php\/wp-json\/wp\/v2\/comments?post=256"}],"version-history":[{"count":15,"href":"https:\/\/e5hforensics.com\/index.php\/wp-json\/wp\/v2\/pages\/256\/revisions"}],"predecessor-version":[{"id":830,"href":"https:\/\/e5hforensics.com\/index.php\/wp-json\/wp\/v2\/pages\/256\/revisions\/830"}],"up":[{"embeddable":true,"href":"https:\/\/e5hforensics.com\/index.php\/wp-json\/wp\/v2\/pages\/208"}],"wp:attachment":[{"href":"https:\/\/e5hforensics.com\/index.php\/wp-json\/wp\/v2\/media?parent=256"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}