Forensics Linux Forensics Ebook

USB Forensics

The use of USB devices to store personal data and information is increasing day by day due to the portability and the plug-and-play nature of these devices. A USB (Universal Serial Bus) device provides storage capacity ranging from 2 GB to 128 GB or more. Due to the stealthy nature of these devices, USB drives can be used to store malicious and dangerous programs and files, such as packet sniffers, keyloggers, malicious files, etc. to carry out malicious tasks by hackers and script kiddies. When incriminating information such as blackmailing is deleted from a USB device, then USB forensics will come into play to retrieve the deleted information. The retrieval or recovery of deleted data from USB drives is what we call USB forensics. This article will take a look at the professional procedure for performing forensics analysis on a USB device.

Create Copy Image of USB Drive

The first thing we will do is make a copy of the USB drive. In this case, regular backups will not work. This is a very crucial step, and if it is done wrong, all the work will go to waste. Use the following command to list all the drives attached to the system:

ubuntu@ubuntu:~$ sudo fdisk -l

In Linux, the drive names are different from Windows. In a Linux system, hda and hdb are used (sda, sdb, sdc, etc.) for SCSI, unlike in Windows OS.

Now that we have the drive name, we can create its .dd image bit-by-bit with the dd utility by entering the following command:

ubuntu@ubuntu:~$ sudo  dd if=/dev/sdc1 of=usb.dd bs=512 count=1

if=the location of the USB drive
of=the destination where the copied image will be stored (can be a local path on your system, e.g. /home/user/usb.dd)
bs=the number of bytes that will be copied at a time

To secure proof that we have the original image copy of the drive, we will use hashing to maintain the image’s integrity. Hashing will provide a hash for the USB drive. If a single bit of data is changed, the hash will be changed completely, and one will know if the copy is fake or original. We will generate an md5 hash of the drive so that, when compared with the drive’s original hash, no one can question the integrity of the copy.

ubuntu@ubuntu:~$ md5sum usb.dd

This will provide an md5 hash of the image. Now, we can start our forensics analysis on this newly created image of the USB drive, along with the hash.

Boot Sector Layout

Running the file command will give back the file system, as well as the drive’s geometry:

ubuntu@ubuntu:~$ file usb.dd

ok.dd: DOS/MBR boot sector, code offset 0x58+2, OEM-ID "MSDOS5.0",
sectors/cluster 8, reserved sectors 4392, Media descriptor 0xf8,
sectors/track 63, heads 255, hidden sectors 32, sectors 1953760 (volumes > 32 MB),
FAT (32 bit), sectors/FAT 1900, reserved 0x1, serial number 0x6efa4158, unlabeled

Now, we can use the minfo tool to get the NTFS boot sector layout and the boot sector information via the following command:

ubuntu@ubuntu:~$ minfo -i  usb.dd

device information:
===================
filename="ok.dd"
sectors per track: 63
heads: 255
cylinders: 122

mformat command line: mformat -T 1953760 -i ok.dd  -h 255 -s 63 -H 32 ::

boot sector information
======================
banner:"MSDOS5.0"
sector size: 512 bytes
cluster size: 8 sectors
reserved (boot) sectors: 4392
fats: 2
max available root directory slots: 0
small size: 0 sectors
media descriptor byte: 0xf8
sectors per fat: 0
sectors per track: 63
heads: 255
hidden sectors: 32
big size: 1953760 sectors
physical drive id: 0x80
reserved=0x1
dos4=0x29
serial number: 6EFA4158
disk label="NO NAME    "
disk type="FAT32   "
Big fatlen=1900
Extended flags=0x0000
FS version=0x0000
rootCluster=2
infoSector location=1
backup boot sector=6

Infosector:
signature=0x41615252
free clusters=243159
last allocated cluster=15

Another command, the fstat command, can be used to obtain general known info, such as allocation structures, layout, and boot blocks, about the device image. We will use the following command to do so:

ubuntu@ubuntu:~$ fstat usb.dd


--------------------------------------------
File System Type: FAT32

OEM Name: MSDOS5.0
Volume ID: 0x6efa4158
Volume Label (Boot Sector): NO NAME    
Volume Label (Root Directory): KINGSTON  
File System Type Label: FAT32  
Next Free Sector (FS Info): 8296
Free Sector Count (FS Info): 1945272

Sectors before file system: 32

File System Layout (in sectors)
Total Range: 0 - 1953759
* Reserved: 0 - 4391
** Boot Sector: 0
** FS Info Sector: 1
** Backup Boot Sector: 6
* FAT 0: 4392 - 6291
* FAT 1: 6292 - 8191
* Data Area: 8192 - 1953759
** Cluster Area: 8192 - 1953759
*** Root Directory: 8192 - 8199

METADATA INFORMATION
--------------------------------------------
Range: 2 - 31129094
Root Directory: 2

CONTENT INFORMATION
--------------------------------------------
Sector Size: 512
Cluster Size: 4096
Total Cluster Range: 2 - 243197

FAT CONTENTS (in sectors)
--------------------------------------------
8192-8199 (8) -> EOF
8200-8207 (8) -> EOF
8208-8215 (8) -> EOF
8216-8223 (8) -> EOF
8224-8295 (72) -> EOF
8392-8471 (80) -> EOF
8584-8695 (112) -> EOF

Deleted Files

The Sleuth Kit provides the fls tool, which provides all the files (especially recently deleted files) in each path, or in the image file specified. Any information about deleted files can be found using the fls utility. Enter the following command to use the fls tool:

ubuntu@ubuntu:~$ fls -rp -f fat32 usb.dd

r/r 3:  KINGSTON    (Volume Label Entry)
d/d 6:  System Volume Information
r/r 135:    System Volume Information/WPSettings.dat
r/r 138:    System Volume Information/IndexerVolumeGuid
r/r * 14:   Game of Thrones 1 720p x264 DDP 5.1 ESub - xRG.mkv
r/r * 22:   Game of Thrones 2 (Pretcakalp) 720 x264 DDP 5.1 ESub - xRG.mkv
r/r * 30:   Game of Thrones 3 720p x264 DDP 5.1 ESub - xRG.mkv
r/r * 38:   Game of Thrones 4 720p x264 DDP 5.1 ESub - xRG.mkv
d/d * 41:   Oceans Twelve (2004)
r/r 45: MINUTES OF PC-I HELD ON 23.01.2020.docx
r/r * 49:   MINUTES OF LEC HELD ON 10.02.2020.docx
r/r * 50:   windump.exe
r/r * 51:   _WRL0024.tmp
r/r 55: MINUTES OF LEC HELD ON 10.02.2020.docx
d/d * 57:   New folder
d/d * 63:   tender notice for network infrastructure equipment
r/r * 67:   TENDER NOTICE (Mega PC-I) Phase-II.docx
r/r * 68:   _WRD2343.tmp
r/r * 69:   _WRL2519.tmp
r/r 73: TENDER NOTICE (Mega PC-I) Phase-II.docx
v/v 31129091:   $MBR
v/v 31129092:   $FAT1
v/v 31129093:   $FAT2
d/d 31129094:   $OrphanFiles
-/r * 22930439: $bad_content1
-/r * 22930444: $bad_content2
-/r * 22930449: $bad_content3

Here, we have obtained all the relevant files. The following operators were used with the fls command :

-p =used to display the full path of every file recovered
-r =used to display the paths and folders recursively
-f =the type of file system used (FAT16, FAT32, etc.)

The above output shows that the USB drive contains many files. The deleted files recovered are notated with a “*” sign. You can see that something is not normal with the files named  $bad_content1, $bad_content2, $bad_content3, and  windump.exe. Windump is a network traffic capture tool.  Using the windump tool, one can capture data not meant for the same computer. The intent is shown in the fact that the software windump has the specific purpose to capture network traffic and was intentionally used to gain access to the personal communications of a legitimate user.

Timeline Analysis

Now that we have an image of the file system, we can perform MAC timeline analysis of the image to generate a timeline and to place the contents with the date and time in a systematic, readable format. Both the fls and ils commands can be used to build a timeline analysis of the file system. For the fls command, we need to specify that the output will be in MAC timeline output format. To do so, we will run the fls command with the -m flag and redirect the output to a file. We will also use the -m flag with the ils command.

ubuntu@ubuntu:~$ fls -m / -rp -f fat32 ok.dd > usb.fls
ubuntu@ubuntu:~$ cat usb.fls

0|/KINGSTON    (Volume Label Entry)|3|r/rrwxrwxrwx|0|0|0|0|1531155908|0|0
0|/System Volume Information|6|d/dr-xr-xr-x|0|0|4096|1531076400|1531155908|0|1531155906
0|/System Volume Information/WPSettings.dat|135|r/rrwxrwxrwx|0|0|12|1532631600|1531155908|0|1531155906
0|/System Volume Information/IndexerVolumeGuid|138|r/rrwxrwxrwx|0|0|76|1532631600|1531155912|0|1531155910
0|Game of Thrones 1 720p x264 DDP 5.1 ESub - xRG.mkv (deleted)|14|r/rrwxrwxrwx|0|0|535843834|1531076400|1531146786|0|1531155918
0|Game of Thrones 2 720p x264 DDP 5.1 ESub - xRG.mkv(deleted)|22|r/rrwxrwxrwx|0|0|567281299|1531162800|1531146748|0|1531121599
0|/Game of Thrones 3 720p x264 DDP 5.1 ESub - xRG.mkv(deleted)|30|r/rrwxrwxrwx|0|0|513428496|1531162800|1531146448|0|1531121607
0|/Game of Thrones 4 720p x264 DDP 5.1 ESub - xRG.mkv(deleted)|38|r/rrwxrwxrwx|0|0|567055193|1531162800|1531146792|0|1531121680
0|/Oceans Twelve (2004) (deleted)|41|d/drwxrwxrwx|0|0|0|1532545200|1532627822|0|1532626832
0|/MINUTES OF PC-I HELD ON 23.01.2020.docx|45|r/rrwxrwxrwx|0|0|33180|1580410800|1580455238|0|1580455263
0|/MINUTES OF LEC HELD ON 10.02.2020.docx (deleted)|49|r/rrwxrwxrwx|0|0|46659|1581966000|1581932204|0|1582004632
0|/_WRD3886.tmp (deleted)|50|r/rrwxrwxrwx|0|0|38208|1581966000|1582006396|0|1582004632
0|/_WRL0024.tmp (deleted)|51|r/rr-xr-xr-x|0|0|46659|1581966000|1581932204|0|1582004632
0|/MINUTES OF LEC HELD ON 10.02.2020.docx|55|r/rrwxrwxrwx|0|0|38208|1581966000|1582006396|0|1582004632
(deleted)|67|r/rrwxrwxrwx|0|0|56775|1589482800|1589528598|0|1589528701
0|/_WRD2343.tmp (deleted)|68|r/rrwxrwxrwx|0|0|56783|1589482800|1589528736|0|1589528701
0|/_WRL2519.tmp (deleted)|69|r/rr-xr-xr-x|0|0|56775|1589482800|1589528598|0|1589528701
0|/TENDER NOTICE (Mega PC-I) Phase-II.docx|73|r/rrwxrwxrwx|0|0|56783|1589482800|1589528736|0|1589528701
0|/$MBR|31129091|v/v---------|0|0|512|0|0|0|0
0|/$FAT1|31129092|v/v---------|0|0|972800|0|0|0|0
0|/$FAT2|31129093|v/v---------|0|0|972800|0|0|0|0
0|/New folder (deleted)|57|d/drwxrwxrwx|0|0|4096|1589482800|1589528384|0|1589528382
0|Windump.exe (deleted)|63|d/drwxrwxrwx|0|0|4096|1589482800|1589528384|0|1589528382
0|/TENDER NOTICE (Mega PC-I) Phase-II.docx (deleted)|67|r/rrwxrwxrwx|0|0|56775|1589482800|1589528598|0|1589528701
0|/_WRD2343.tmp (deleted)|68|r/rrwxrwxrwx|0|0|56783|1589482800|1589528736|0|1589528701
0|/_WRL2519.tmp (deleted)|69|r/rr-xr-xr-x|0|0|56775|1589482800|1589528598|0|1589528701
0|/TENDER NOTICE (Mega PC-I) Phase-II.docx|73|r/rrwxrwxrwx|0|0|56783|1589482800|1589528736|0|1589528701
0|/$MBR|31129091|v/v---------|0|0|512|0|0|0|0
0|/$FAT1|31129092|v/v---------|0|0|972800|0|0|0|0
0|/$FAT2|31129093|v/v---------|0|0|972800|0|0|0|0
0|/$OrphanFiles|31129094|d/d---------|0|0|0|0|0|0|0
0|/$$bad_content 1 (deleted)|22930439|-/rrwxrwxrwx|0|0|59|1532631600|1532627846|0|1532627821
0|/$$bad_content 2 (deleted)|22930444|-/rrwxrwxrwx|0|0|47|1532631600|1532627846|0|1532627821
0|/$$bad_content 3 (deleted)|22930449|-/rrwxrwxrwx|0|0|353|1532631600|1532627846|0|1532627821

Run the mactime tool to obtain timeline analysis with the following command:

ubuntu@ubuntu:~$ cat usb.fls > usb.mac

To convert this mactime output to human-readable form, enter the following command:

ubuntu@ubuntu:~$ mactime -b usb.mac > usb.mactime
ubuntu@ubuntu:~$ cat usb.mactime
Thu Jul 26 2018 22:57:02        0 m... d/drwxrwxrwx 0        0        41       /Oceans Twelve (2004) (deleted)
Thu Jul 26 2018 22:57:26       59 m... -/rrwxrwxrwx 0        0        22930439 /Game of Thrones 4 720p x264 DDP 5.1 ESub -(deleted)
                               47 m... -/rrwxrwxrwx 0        0        22930444 /Game of Thrones 4 720p x264 DDP 5.1 ESub - (deleted)
                              353 m... -/rrwxrwxrwx 0        0        22930449 //Game of Thrones 4 720p x264 DDP 5.1 ESub - (deleted)
Fri Jul 27 2018 00:00:00       12 .a.. r/rrwxrwxrwx 0        0        135      /System Volume Information/WPSettings.dat
                               76 .a.. r/rrwxrwxrwx 0        0        138      /System Volume Information/IndexerVolumeGuid
                               59 .a.. -/rrwxrwxrwx 0        0        22930439 /Game of Thrones 3 720p x264 DDP 5.1 ESub 3(deleted)
                               47 .a.. -/rrwxrwxrwx 0        0        22930444 $/Game of Thrones 3 720p x264 DDP 5.1 ESub 3 (deleted)
                              353 .a.. -/rrwxrwxrwx 0        0        22930449 /Game of Thrones 3 720p x264 DDP 5.1 ESub 3 (deleted)
Fri Jan 31 2020 00:00:00    33180 .a.. r/rrwxrwxrwx 0        0        45       /MINUTES OF PC-I HELD ON 23.01.2020.docx
Fri Jan 31 2020 12:20:38    33180 m... r/rrwxrwxrwx 0        0        45       /MINUTES OF PC-I HELD ON 23.01.2020.docx
Fri Jan 31 2020 12:21:03    33180 ...b r/rrwxrwxrwx 0        0        45       /MINUTES OF PC-I HELD ON 23.01.2020.docx
Mon Feb 17 2020 14:36:44    46659 m... r/rrwxrwxrwx 0        0        49       /MINUTES OF LEC HELD ON 10.02.2020.docx (deleted)
                            46659 m... r/rr-xr-xr-x 0        0        51       /_WRL0024.tmp (deleted)
Tue Feb 18 2020 00:00:00    46659 .a.. r/rrwxrwxrwx 0        0        49      /Game of Thrones 2 720p x264 DDP 5.1 ESub -(deleted)
                            38208 .a.. r/rrwxrwxrwx 0        0        50       /_WRD3886.tmp (deleted)
Tue Feb 18 2020 10:43:52    46659 ...b r/rrwxrwxrwx 0        0        49      /Game of Thrones 1 720p x264 DDP 5.1 ESub -
                            38208 ...b r/rrwxrwxrwx 0        0        50       /_WRD3886.tmp (deleted)
                            46659 ...b r/rr-xr-xr-x 0        0        51       /_WRL0024.tmp (deleted)
                            38208 ...b r/rrwxrwxrwx 0        0        55       /MINUTES OF LEC HELD ON 10.02.2020.docx
Tue Feb 18 2020 11:13:16    38208 m... r/rrwxrwxrwx 0        0        50       /_WRD3886.tmp (deleted)
                            46659 .a.. r/rr-xr-xr-x 0        0        51       /_WRL0024.tmp (deleted)
                            38208 .a.. r/rrwxrwxrwx 0        0        55       /MINUTES OF LEC HELD ON 10.02.2020.docx
Tue Feb 18 2020 10:43:52    46659 ...b r/rrwxrwxrwx 0        0        49      /Game of Thrones 1 720p x264 DDP 5.1 ESub -
                            38208 ...b r/rrwxrwxrwx 0        0        50       /_WRD3886.tmp (deleted)
                            46659 ...b r/rr-xr-xr-x 0        0        51       /_WRL0024.tmp (deleted)
                            38208 ...b r/rrwxrwxrwx 0        0        55       /MINUTES OF LEC HELD ON 10.02.2020.docx
Tue Feb 18 2020 11:13:16    38208 m... r/rrwxrwxrwx 0        0        50       /_WRD3886.tmp (deleted)
                            38208 m... r/rrwxrwxrwx 0        0        55     /Game of Thrones 3 720p x264 DDP 5.1 ESub -
Fri May 15 2020 00:00:00     4096 .a.. d/drwxrwxrwx 0        0        57       /New folder (deleted)
                             4096 .a.. d/drwxrwxrwx 0        0        63       /tender notice for network infrastructure equipment for IIUI (deleted)
                            56775 .a.. r/rrwxrwxrwx 0        0        67       /TENDER NOTICE (Mega PC-I) Phase-II.docx (deleted)
                            56783 .a.. r/rrwxrwxrwx 0        0        68       /_WRD2343.tmp (deleted)
                            56775 .a.. r/rr-xr-xr-x 0        0        69       /_WRL2519.tmp (deleted)
                            56783 .a.. r/rrwxrwxrwx 0        0        73       /TENDER NOTICE (Mega PC-I) Phase-II.docx
Fri May 15 2020 12:39:42     4096 ...b d/drwxrwxrwx 0        0        57       /New folder (deleted)
                             4096 ...b d/drwxrwxrwx 0        0        63       /tender notice for network infrastructure equipment for IIUI (deleted)
Fri May 15 2020 12:39:44     4096 m... d/drwxrwxrwx 0        0        57       $$bad_content 3(deleted)
                             4096 m... d/drwxrwxrwx 0        0        63       /tender notice for network infrastructure equipment for IIUI (deleted)
Fri May 15 2020 12:43:18    56775 m... r/rrwxrwxrwx 0        0        67$$bad_content 1 (deleted)
                            56775 m... r/rr-xr-xr-x 0        0        69       /_WRL2519.tmp (deleted)
Fri May 15 2020 12:45:01    56775 ...b r/rrwxrwxrwx 0        0        67      $$bad_content 2 (deleted)
                            56783 ...b r/rrwxrwxrwx 0        0        68       /_WRD2343.tmp (deleted)
                            56775 ...b r/rr-xr-xr-x 0        0        69       /_WRL2519.tmp (deleted)
                            56783 ...b r/rrwxrwxrwx 0        0        73       /TENDER NOTICE (Mega PC-I) Phase-II.docx
Fri May 15 2020 12:45:36    56783 m... r/rrwxrwxrwx 0        0        68      windump.exe (deleted)
                            56783 m... r/rrwxrwxrwx 0        0        73       /TENDER NOTICE (Mega PC-I) Phase-II.docx

All the files should be recovered with a timestamp on it in a human-readable format in the file “usb.mactime.”

Tools for USB Forensics Analysis

There are various tools that can be used to perform forensics analysis on a USB drive, such as Sleuth Kit Autopsy, FTK Imager, Foremost, etc. First, we will have a look at the Autopsy tool.

Autopsy

Autopsy is used to extract and analyze data from different types of images, such as AFF (Advance Forensic Format) images, .dd images, raw images, etc. This program is a powerful tool used by forensic investigators and different law enforcement agencies. Autopsy consists of many tools that can help investigators to get the job done efficiently and smoothly. The Autopsy tool is available for both Windows and UNIX platforms free of cost.

To analyze a USB image using Autopsy, you must first create a case, including writing the investigators’ names, recording the case name, and other informational tasks. The next step is to import the source image of the USB drive obtained at the start of the process using the dd utility. Then, we will let the Autopsy tool do what it does best.

The amount of information provided by Autopsy is enormous. Autopsy provides the original filenames and also allows you to examine the directories and paths with all the info about the relevant files, such as accessed, modified, changed, date, and time. The metadata info is also retrieved, and all the info is sorted in a professional way. To make the file search easier, Autopsy provides a Keyword Search option, which allows the user to quickly and efficiently search a string or number from among the retrieved contents.

In the left panel of the subcategory of File Types, you will see a category named “Deleted Files” containing the deleted files from the desired drive image with all the Metadata and Timeline Analysis information.

Autopsy is Graphic User Interface (GUI) for the command-line tool Sleuth Kit and is at the top level in the forensics world due to its integrity, versatility, easy-to-use nature,  and the ability to produce fast results. USB device forensics can be performed as easily on Autopsy as on any other paid tool.

FTK Imager

FTK Imager is another great tool used for the retrieval and acquisition of data from different types of images provided. FTK Imager also has the ability to make a bit-by-bit image copy, so that no other tool like dd or dcfldd is needed for this purpose. This copy of the drive includes all files and folders, the unallocated and free space, and the deleted files left in slack space or unallocated space. The basic goal here when performing forensic analysis on USB drives is to reconstruct or recreate the attack scenario.

We will now take a look at performing USB forensics analysis on a USB  image using the FTK Imager tool.

First, add the image file to FTK Imager by clicking File >> Add Evidence Item.

Now, select the type of file you want to import. In this case, it is an image file of a USB drive.

Now, enter the full location of the image file. Remember, you must provide a full path for this step. Click Finish to begin data acquisition, and let the FTK Imager do the job. After some time, the tool will provide the desired results.

Here, the first thing to do is to verify Image Integrity by right-clicking on the image name and selecting Verify Image. The tool will check for matching md5 or SHA1 hashes provided with the image information, and will also tell you whether the image has been tampered with before being imported into the FTK Imager tool.

Now, Export the given results to the path of your choice by right-clicking the image name and selecting the Export option to analyze it. The FTK Imager will create a full data log of the forensics process and will place these logs in the same folder as the image file.

Analysis

The recovered data can be in any format, such as tar, zip (for compressed files), png, jpeg, jpg (for image files), mp4, avi format (for video files), barcodes, pdfs, and other file formats. You should analyze the metadata of the given files and check for barcodes in the form of a QR Code. This can be in a png file and can be retrieved using the ZBAR tool. In most cases, docx and pdf files are used to hide statistical data, so they must be uncompressed. Kdbx files can be opened through Keepass; the password may have been stored in other recovered files, or we can perform bruteforce at any time.

Foremost

Foremost is a tool used to recover deleted files and folders from a drive image using headers and footers. We will take a look at Foremost’s man page to explore some powerful commands contained within this tool:

ubuntu@ubuntu:~$ man foremost

       -a     Enables write all headers, perform no error detection  in  terms
              of corrupted files.
       -b number
              Allows  you to specify the block size used in foremost.  This is
              relevant for file naming and quick  searches.   The  default  is
              512. ie.  foremost -b 1024 image.dd

      -q (quick mode) :
   Enables quick mode. In quick mode, only the start of each sector
              is searched  for  matching  headers.  That  is,  the  header  is
              searched  only  up to the length of the longest header. The rest
              of the sector, usually about 500 bytes, is  ignored.  This  mode
              makes  foremost run considerably faster, but it may cause you to
              miss files that are embedded in other files. For example,  using
              quick  mode you will not be able to find JPEG images embedded in
              Microsoft Word documents.

              Quick mode should not be used when examining NTFS file  systems.
              Because  NTFS  will store small files inside the Master File Ta‐
              ble, these files will be missed during quick mode.

       -a     Enables write all headers, perform no error detection  in  terms
              of corrupted files.
       -i (input) file :
              The  file  used with the i option is used as the input file.
    In the case that no input file is specified  stdin is used to c.

The  file  used with the i option is used as the input file.

In the case that no input file is specified  stdin is used to c.

To get the job done, we will use the following command :

ubuntu@ubuntu:~$ foremost usb.dd

After the process is complete, there will be a file in the /output folder named text containing the results.

Conclusion

USB drive forensics is a good skill to have to retrieve evidence and recover deleted files from a USB device, as well as to identify and examine what computer programs may have been used in the attack. Then, you may put together the steps the attacker may have taken to prove or disprove the claims made by the legitimate user or victim. To ensure that no one gets away with a cyber-crime involving USB data, USB forensics is an essential tool. USB devices contain key evidence in most forensics cases and sometimes, the forensics data obtained from a USB drive can help in recovering important and valuable personal data.

About the author

Usama Azad

Usama Azad

A security enthusiast who loves Terminal and Open Source. My area of expertise is Python, Linux (Debian), Bash, Penetration testing, and Firewalls. I’m born and raised in Wazirabad, Pakistan and currently doing Undergraduation from National University of Science and Technology (NUST). On Twitter i go by @UsamaAzad14