Tracing Forensic Artifacts from USB-Bound Computing Environments on Windows Hosts

This paper proposes that it is possible to extract and analyse artifacts of potential evidential interest from host systems where miniature computing environments are run from USB connectable devices. The research focuses on Windows systems and includes a comparison of the results obtained following a traditional ‘static’ forensic data collection after conducting a range of user-initiated activities. Four software products were evaluated during this research cycle, all of which could be used as antiforensic tools. It is shown that the environments reviewed create numerous artifacts in both live and unallocated space on Windows hosts that are retained after a system halt. These include multiple references to identified software and related processes as well as named user activity in the Registry keys, the IconCache.db and elsewhere. Artifacts related to program use and data movements are also retained in live memory (RAM) and it is recommended that this is captured and analysed.