USB Detective 1.6.3 Academic | Enterprise | Portable

USB
17 September 2023, 09:44

Download Now

USB Detective incorporates dozens of data points to identify and correlate USB device artifacts. USB Detective organizes its findings to allow you to quickly identify misleading timestamps and streamline the investigation process. Multiple reporting mechanisms allow for easily-digested Excel reports or verbose reports for deeper analysis and research.

Features

Processes USB device artifacts from Windows XP through Windows 11
Support for live system, individual files/folders, and logical drive processing
Processes multiple versions of all accepted artifacts
Source of every identified value preserved for later reporting and documentation
Leverage the latest changes in Windows to obtain even more device information
Visually represented timestamp consistency levels
Dozens of sources queried for USB device information
Automatically correlates LNK file and jump list records to show opened/accessed files on USB devices
Processes shellbags to reveal directory interactions and creations on removable media

Key Features

Create Excel spreadsheets for high-level USB device history reports
Create verbose reports for deeper analysis and research
Create timelines including all unique connection/disconnection and deletion timestamps for each device
Create individual device timelines for all unique connection/disconnection timestamps for a single device
Add LNK file and jump list activity to reports to provide deeper insight into user activity
Identify device removal time(s) from device cleanup in Windows 10
Identify encryption type for encrypted devices
Identify multiple connection and disconnection times for each device
Leverage Windows event logs for improved correlation and device history
Replay registry transaction logs to identify device data not yet written to the primary hive
Automatically process and aggregate data from volume shadow copies
Identify devices even after they’re removed via Windows 10 device cleanup or feature update
Queried data points adjusted based on automatic OS version detection
Automatic checking and exclusion of unreliable timestamps
Search mounted forensic image instead of individual files/folders
Automatic detection of system timezone
Normalize local and UTC timestamps using system timezone
Alerts for suspicious timestamps
Correlation using multiple data points (device serial, disk ID, etc.)
Advanced correlation of external hard drives
Advanced correlation for Apple devices
Identify prior volume names and serial numbers for formatted devices
Settings from prior session automatically reloaded
Search all control sets of all provided SYSTEM hives
Adjust consistency level threshold
And much more…