Attached Devices

Another key piece of evidence that may be useful to an analyst is data about when specific devices were attached to the system. In the scenario of a malicious insider attempting to steal confidential documents, knowing whether they utilized a USB device would be helpful. Autopsy utilizes the Registry settings located on the system to identify the types of devices attached and the last time that they were used. In this case, the output of clicking Devices Attached in the left pane produces the following results:

Drilling down into the Results tab, the analyst would be able to identify the type of device, and the date and time ...

Get Digital Forensics and Incident Response now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.