The use of USB devices to store personal data and information is increasing day by day due to the portability and the plug-and-play nature of these devices. A USB (Universal Serial Bus) device provides storage capacity ranging from 2 GB to 128 GB or more. Due to the stealthy nature of these devices, USB drives can be used to store malicious and dangerous programs and files, such as packet sniffers, keyloggers, malicious files, etc. to carry out malicious tasks by hackers and script kiddies. When incriminating information such as blackmailing is deleted from a USB device, then USB forensics will come into play to retrieve the deleted information. The retrieval or recovery of deleted data from USB drives is what we call USB forensics. This article will take a look at the professional procedure for performing forensics analysis on a USB device.

Create Copy Image of USB Drive

The first thing we will do is make a copy of the USB drive. In this case, regular backups will not work. This is a very crucial step, and if it is done wrong, all the work will go to waste. Use the following command to list all the drives attached to the system:

ubuntu@ubuntu:~$ sudo fdisk -l

In Linux, the drive names are different from Windows. In a Linux system, hda and hdb are used (sda, sdb, sdc, etc.) for SCSI, unlike in Windows OS.

Now that we have the drive name, we can create its .dd image bit-by-bit with the dd utility by entering the following command:

ubuntu@ubuntu:~$ sudo  dd if=/dev/sdc1 of=usb.dd bs=512 count=1

if=the location of the USB drive

of=the destination where the copied image will be stored (can be a local path on your system, e.g. /home/user/usb.dd)

bs=the number of bytes that will be copied at a time

To secure proof that we have the original image copy of the drive, we will use hashing to maintain the image’s integrity. Hashing will provide a hash for the USB drive. If a single bit of data is changed, the hash will be changed completely, and one will know if the copy is fake or original. We will generate an md5 hash of the drive so that, when compared with the drive’s original hash, no one can question the integrity of the copy.

ubuntu@ubuntu:~$ md5sum usb.dd

This will provide an md5 hash of the image. Now, we can start our forensics analysis on this newly created image of the USB drive, along with the hash.

Boot Sector Layout

Running the file command will give back the file system, as well as the drive’s geometry:

ubuntu@ubuntu:~$ file usb.dd

ok.dd: DOS/MBR boot sector, code offset 0x58 2, OEM-ID “MSDOS5.0”,


sectors/cluster 8, reserved sectors 4392, Media descriptor 0xf8,


sectors/track 63, heads 255, hidden sectors 32, sectors 1953760 (volumes > 32 MB),


FAT (32 bit), sectors/FAT 1900, reserved 0x1, serial number 0x6efa4158, unlabeled

Now, we can use the minfo tool to get the NTFS boot sector layout and the boot sector information via the following command:

ubuntu@ubuntu:~$ minfo -i  usb.dd

device information:


===================

filename=“ok.dd”


sectors per track: 63


heads: 255


cylinders: 122

mformat command line: mformat -T 1953760 -i ok.dd  -h 255 -s 63 -H 32 ::

boot sector information


======================


banner:“MSDOS5.0”


sector size: 512 bytes


cluster size: 8 sectors


reserved (boot) sectors: 4392


fats: 2


max available root directory slots: 0


small size: 0 sectors


media descriptor byte: 0xf8


sectors per fat: 0


sectors per track: 63


heads: 255


hidden sectors: 32


big size: 1953760 sectors


physical drive id: 0x80

reserved=0x1

dos4=0x29


serial number: 6EFA4158


disk label=“NO NAME    “


disk type=“FAT32   “


Big fatlen=1900


Extended flags=0x0000


FS version=0x0000

rootCluster=2


infoSector location=1


backup boot sector=6

Infosector:

signature=0x41615252

free clusters=243159

last allocated cluster=15

Another command, the fstat command, can be used to obtain general known info, such as allocation structures, layout, and boot blocks, about the device image. We will use the following command to do so:

ubuntu@ubuntu:~$ fstat usb.dd

——————————————–


File System Type: FAT32

OEM Name: MSDOS5.0


Volume ID: 0x6efa4158


Volume Label (Boot Sector): NO NAME    


Volume Label (Root Directory): KINGSTON  


File System Type Label: FAT32  


Next Free Sector (FS Info): 8296


Free Sector Count (FS Info): 1945272

Sectors before file system: 32

File System Layout (in sectors)


Total Range: 01953759

* Reserved: 04391

** Boot Sector: 0

** FS Info Sector: 1

** Backup Boot Sector: 6

* FAT 0: 43926291

* FAT 1: 62928191

* Data Area: 81921953759

** Cluster Area: 81921953759

*** Root Directory: 81928199

METADATA INFORMATION

——————————————–


Range: 231129094


Root Directory: 2

CONTENT INFORMATION

——————————————–


Sector Size: 512


Cluster Size: 4096


Total Cluster Range: 2243197

FAT CONTENTS (in sectors)

——————————————–

81928199 (8)> EOF

82008207 (8)> EOF

82088215 (8)> EOF

82168223 (8)> EOF

82248295 (72)> EOF

83928471 (80)> EOF

85848695 (112)> EOF

Deleted Files

The Sleuth Kit provides the fls tool, which provides all the files (especially recently deleted files) in each path, or in the image file specified. Any information about deleted files can be found using the fls utility. Enter the following command to use the fls tool:

ubuntu@ubuntu:~$ fls -rp -f fat32 usb.dd

r/r 3:  KINGSTON    (Volume Label Entry)


d/d 6:  System Volume Information


r/r 135:    System Volume Information/WPSettings.dat


r/r 138:    System Volume Information/IndexerVolumeGuid


r/r * 14:   Game of Thrones 1 720p x264 DDP 5.1 ESub – xRG.mkv


r/r * 22:   Game of Thrones 2 (Pretcakalp) 720 x264 DDP 5.1 ESub – xRG.mkv


r/r * 30:   Game of Thrones 3 720p x264 DDP 5.1 ESub – xRG.mkv


r/r * 38:   Game of Thrones 4 720p x264 DDP 5.1 ESub – xRG.mkv


d/d * 41:   Oceans Twelve (2004)


r/r 45: MINUTES OF PC-I HELD ON 23.01.2020.docx


r/r * 49:   MINUTES OF LEC HELD ON 10.02.2020.docx


r/r * 50:   windump.exe


r/r * 51:   _WRL0024.tmp


r/r 55: MINUTES OF LEC HELD ON 10.02.2020.docx


d/d * 57:   New folder


d/d * 63:   tender notice for network infrastructure equipment


r/r * 67:   TENDER NOTICE (Mega PC-I) Phase-II.docx


r/r * 68:   _WRD2343.tmp


r/r * 69:   _WRL2519.tmp


r/r 73: TENDER NOTICE (Mega PC-I) Phase-II.docx


v/v 31129091:   $MBR


v/v 31129092:   $FAT1


v/v 31129093:   $FAT2


d/d 31129094:   $OrphanFiles


/r * 22930439: $bad_content1


/r * 22930444: $bad_content2


/r * 22930449: $bad_content3

Here, we have obtained all the relevant files. The following operators were used with the fls command :

-p =used to display the full path of every file recovered

-r =used to display the paths and folders recursively

-f =the type of file system used (FAT16, FAT32, etc.)

The above output shows that the USB drive contains many files. The deleted files recovered are notated with a “*” sign. You can see that something is not normal with the files named  $bad_content1, $bad_content2, $bad_content3, and  windump.exe. Windump is a network traffic capture tool.  Using the windump tool, one can capture data not meant for the same computer. The intent is shown in the fact that the software windump has the specific purpose to capture network traffic and was intentionally used to gain access to the personal communications of a legitimate user.

Timeline Analysis

Now that we have an image of the file system, we can perform MAC timeline analysis of the image to generate a timeline and to place the contents with the date and time in a systematic, readable format. Both the fls and ils commands can be used to build a timeline analysis of the file system. For the fls command, we need to specify that the output will be in MAC timeline output format. To do so, we will run the fls command with the -m flag and redirect the output to a file. We will also use the -m flag with the ils command.

ubuntu@ubuntu:~$ fls -m / -rp -f fat32 ok.dd > usb.fls

ubuntu@ubuntu:~$ cat usb.fls

0|/KINGSTON    (Volume Label Entry)|3|r/rrwxrwxrwx|0|0|0|0|1531155908|0|0

0|/System Volume Information|6|d/dr-xr-xr-x|0|0|4096|1531076400|1531155908|0|1531155906

0|/System Volume Information/WPSettings.dat|135|r/rrwxrwxrwx|0|0|12|1532631600|1531155908|0|1531155906

0|/System Volume Information/IndexerVolumeGuid|138|r/rrwxrwxrwx|0|0|76|1532631600|1531155912|0|1531155910

0|Game of Thrones 1 720p x264 DDP 5.1 ESub – xRG.mkv (deleted)|14|r/rrwxrwxrwx|0|0|535843834|1531076400|1531146786|0|1531155918

0|Game of Thrones 2 720p x264 DDP 5.1 ESub – xRG.mkv(deleted)|22|r/rrwxrwxrwx|0|0|567281299|1531162800|1531146748|0|1531121599

0|/Game of Thrones 3 720p x264 DDP 5.1 ESub – xRG.mkv(deleted)|30|r/rrwxrwxrwx|0|0|513428496|1531162800|1531146448|0|1531121607

0|/Game of Thrones 4 720p x264 DDP 5.1 ESub – xRG.mkv(deleted)|38|r/rrwxrwxrwx|0|0|567055193|1531162800|1531146792|0|1531121680

0|/Oceans Twelve (2004) (deleted)|41|d/drwxrwxrwx|0|0|0|1532545200|1532627822|0|1532626832

0|/MINUTES OF PC-I HELD ON 23.01.2020.docx|45|r/rrwxrwxrwx|0|0|33180|1580410800|1580455238|0|1580455263

0|/MINUTES OF LEC HELD ON 10.02.2020.docx (deleted)|49|r/rrwxrwxrwx|0|0|46659|1581966000|1581932204|0|1582004632

0|/_WRD3886.tmp (deleted)|50|r/rrwxrwxrwx|0|0|38208|1581966000|1582006396|0|1582004632

0|/_WRL0024.tmp (deleted)|51|r/rr-xr-xr-x|0|0|46659|1581966000|1581932204|0|1582004632

0|/MINUTES OF LEC HELD ON 10.02.2020.docx|55|r/rrwxrwxrwx|0|0|38208|1581966000|1582006396|0|1582004632

(deleted)|67|r/rrwxrwxrwx|0|0|56775|1589482800|1589528598|0|1589528701

0|/_WRD2343.tmp (deleted)|68|r/rrwxrwxrwx|0|0|56783|1589482800|1589528736|0|1589528701

0|/_WRL2519.tmp (deleted)|69|r/rr-xr-xr-x|0|0|56775|1589482800|1589528598|0|1589528701

0|/TENDER NOTICE (Mega PC-I) Phase-II.docx|73|r/rrwxrwxrwx|0|0|56783|1589482800|1589528736|0|1589528701

0|/$MBR|31129091|v/v———|0|0|512|0|0|0|0

0|/$FAT1|31129092|v/v———|0|0|972800|0|0|0|0

0|/$FAT2|31129093|v/v———|0|0|972800|0|0|0|0

0|/New folder (deleted)|57|d/drwxrwxrwx|0|0|4096|1589482800|1589528384|0|1589528382

0|Windump.exe (deleted)|63|d/drwxrwxrwx|0|0|4096|1589482800|1589528384|0|1589528382

0|/TENDER NOTICE (Mega PC-I) Phase-II.docx (deleted)|67|r/rrwxrwxrwx|0|0|56775|1589482800|1589528598|0|1589528701

0|/_WRD2343.tmp (deleted)|68|r/rrwxrwxrwx|0|0|56783|1589482800|1589528736|0|1589528701

0|/_WRL2519.tmp (deleted)|69|r/rr-xr-xr-x|0|0|56775|1589482800|1589528598|0|1589528701

0|/TENDER NOTICE (Mega PC-I) Phase-II.docx|73|r/rrwxrwxrwx|0|0|56783|1589482800|1589528736|0|1589528701

0|/$MBR|31129091|v/v———|0|0|512|0|0|0|0

0|/$FAT1|31129092|v/v———|0|0|972800|0|0|0|0

0|/$FAT2|31129093|v/v———|0|0|972800|0|0|0|0

0|/$OrphanFiles|31129094|d/d———|0|0|0|0|0|0|0

0|/$$bad_content 1 (deleted)|22930439|/rrwxrwxrwx|0|0|59|1532631600|1532627846|0|1532627821

0|/$$bad_content 2 (deleted)|22930444|/rrwxrwxrwx|0|0|47|1532631600|1532627846|0|1532627821

0|/$$bad_content 3 (deleted)|22930449|/rrwxrwxrwx|0|0|353|1532631600|1532627846|0|1532627821

Run the mactime tool to obtain timeline analysis with the following command:

ubuntu@ubuntu:~$ cat usb.fls > usb.mac

To convert this mactime output to human-readable form, enter the following command:

ubuntu@ubuntu:~$ mactime -b usb.mac > usb.mactime

ubuntu@ubuntu:~$ cat usb.mactime

Thu Jul 26 2018 22:57:02        0 m… d/drwxrwxrwx 0        0        41       /Oceans Twelve (2004) (deleted)


Thu Jul 26 2018 22:57:26       59 m… -/rrwxrwxrwx 0        0        22930439 /Game of Thrones 4 720p x264 DDP 5.1 ESub -(deleted)


                               47 m… -/rrwxrwxrwx 0        0        22930444 /Game of Thrones 4 720p x264 DDP 5.1 ESub – (deleted)


                              353 m… -/rrwxrwxrwx 0        0        22930449 //Game of Thrones 4 720p x264 DDP 5.1 ESub – (deleted)


Fri Jul 27 2018 00:00:00       12 .a.. r/rrwxrwxrwx 0        0        135      /System Volume Information/WPSettings.dat


                               76 .a.. r/rrwxrwxrwx 0        0        138      /System Volume Information/IndexerVolumeGuid


                               59 .a.. -/rrwxrwxrwx 0        0        22930439 /Game of Thrones 3 720p x264 DDP 5.1 ESub 3(deleted)


                               47 .a.. -/rrwxrwxrwx 0        0        22930444 $/Game of Thrones 3 720p x264 DDP 5.1 ESub 3 (deleted)


                              353 .a.. -/rrwxrwxrwx 0        0        22930449 /Game of Thrones 3 720p x264 DDP 5.1 ESub 3 (deleted)


Fri Jan 31 2020 00:00:00    33180 .a.. r/rrwxrwxrwx 0        0        45       /MINUTES OF PC-I HELD ON 23.01.2020.docx


Fri Jan 31 2020 12:20:38    33180 m… r/rrwxrwxrwx 0        0        45       /MINUTES OF PC-I HELD ON 23.01.2020.docx


Fri Jan 31 2020 12:21:03    33180 …b r/rrwxrwxrwx 0        0        45       /MINUTES OF PC-I HELD ON 23.01.2020.docx


Mon Feb 17 2020 14:36:44    46659 m… r/rrwxrwxrwx 0        0        49       /MINUTES OF LEC HELD ON 10.02.2020.docx (deleted)


                            46659 m… r/rr-xr-xr-x 0        0        51       /_WRL0024.tmp (deleted)


Tue Feb 18 2020 00:00:00    46659 .a.. r/rrwxrwxrwx 0        0        49      /Game of Thrones 2 720p x264 DDP 5.1 ESub -(deleted)


                            38208 .a.. r/rrwxrwxrwx 0        0        50       /_WRD3886.tmp (deleted)


Tue Feb 18 2020 10:43:52    46659 …b r/rrwxrwxrwx 0        0        49      /Game of Thrones 1 720p x264 DDP 5.1 ESub –


                            38208 …b r/rrwxrwxrwx 0        0        50       /_WRD3886.tmp (deleted)


                            46659 …b r/rr-xr-xr-x 0        0        51       /_WRL0024.tmp (deleted)


                            38208 …b r/rrwxrwxrwx 0        0        55       /MINUTES OF LEC HELD ON 10.02.2020.docx


Tue Feb 18 2020 11:13:16    38208 m… r/rrwxrwxrwx 0        0        50       /_WRD3886.tmp (deleted)


                            46659 .a.. r/rr-xr-xr-x 0        0        51       /_WRL0024.tmp (deleted)


                            38208 .a.. r/rrwxrwxrwx 0        0        55       /MINUTES OF LEC HELD ON 10.02.2020.docx


Tue Feb 18 2020 10:43:52    46659 …b r/rrwxrwxrwx 0        0        49      /Game of Thrones 1 720p x264 DDP 5.1 ESub –


                            38208 …b r/rrwxrwxrwx 0        0        50       /_WRD3886.tmp (deleted)


                            46659 …b r/rr-xr-xr-x 0        0        51       /_WRL0024.tmp (deleted)


                            38208 …b r/rrwxrwxrwx 0        0        55       /MINUTES OF LEC HELD ON 10.02.2020.docx


Tue Feb 18 2020 11:13:16    38208 m… r/rrwxrwxrwx 0        0        50       /_WRD3886.tmp (deleted)


                            38208 m… r/rrwxrwxrwx 0        0        55     /Game of Thrones 3 720p x264 DDP 5.1 ESub –


Fri May 15 2020 00:00:00     4096 .a.. d/drwxrwxrwx 0        0        57       /New folder (deleted)


                             4096 .a.. d/drwxrwxrwx 0        0        63       /tender notice for network infrastructure equipment for IIUI (deleted)


                            56775 .a.. r/rrwxrwxrwx 0        0        67       /TENDER NOTICE (Mega PC-I) Phase-II.docx (deleted)


                            56783 .a.. r/rrwxrwxrwx 0        0        68       /_WRD2343.tmp (deleted)


                            56775 .a.. r/rr-xr-xr-x 0        0        69       /_WRL2519.tmp (deleted)


                            56783 .a.. r/rrwxrwxrwx 0        0        73       /TENDER NOTICE (Mega PC-I) Phase-II.docx


Fri May 15 2020 12:39:42     4096 …b d/drwxrwxrwx 0        0        57       /New folder (deleted)


                             4096 …b d/drwxrwxrwx 0        0        63       /tender notice for network infrastructure equipment for IIUI (deleted)


Fri May 15 2020 12:39:44     4096 m… d/drwxrwxrwx 0        0        57       $$bad_content 3(deleted)


                             4096 m… d/drwxrwxrwx 0        0        63       /tender notice for network infrastructure equipment for IIUI (deleted)


Fri May 15 2020 12:43:18    56775 m… r/rrwxrwxrwx 0        0        67$$bad_content 1 (deleted)


                            56775 m… r/rr-xr-xr-x 0        0        69       /_WRL2519.tmp (deleted)


Fri May 15 2020 12:45:01    56775 …b r/rrwxrwxrwx 0        0        67      $$bad_content 2 (deleted)


                            56783 …b r/rrwxrwxrwx 0        0        68       /_WRD2343.tmp (deleted)


                            56775 …b r/rr-xr-xr-x 0        0        69       /_WRL2519.tmp (deleted)


                            56783 …b r/rrwxrwxrwx 0        0        73       /TENDER NOTICE (Mega PC-I) Phase-II.docx


Fri May 15 2020 12:45:36    56783 m… r/rrwxrwxrwx 0        0        68      windump.exe (deleted)


                            56783 m… r/rrwxrwxrwx 0        0        73       /TENDER NOTICE (Mega PC-I) Phase-II.docx

All the files should be recovered with a timestamp on it in a human-readable format in the file “usb.mactime.”

Tools for USB Forensics Analysis

There are various tools that can be used to perform forensics analysis on a USB drive, such as Sleuth Kit Autopsy, FTK Imager, Foremost, etc. First, we will have a look at the Autopsy tool.

Autopsy

Autopsy is used to extract and analyze data from different types of images, such as AFF (Advance Forensic Format) images, .dd images, raw images, etc. This program is a powerful tool used by forensic investigators and different law enforcement agencies. Autopsy consists of many tools that can help investigators to get the job done efficiently and smoothly. The Autopsy tool is available for both Windows and UNIX platforms free of cost.

To analyze a USB image using Autopsy, you must first create a case, including writing the investigators’ names, recording the case name, and other informational tasks. The next step is to import the source image of the USB drive obtained at the start of the process using the dd utility. Then, we will let the Autopsy tool do what it does best.

The amount of information provided by Autopsy is enormous. Autopsy provides the original filenames and also allows you to examine the directories and paths with all the info about the relevant files, such as accessed, modified, changed, date, and time. The metadata info is also retrieved, and all the info is sorted in a professional way. To make the file search easier, Autopsy provides a Keyword Search option, which allows the user to quickly and efficiently search a string or number from among the retrieved contents.

USB Forensics Forensics Linux Forensics Ebook

In the left panel of the subcategory of File Types, you will see a category named “Deleted Files” containing the deleted files from the desired drive image with all the Metadata and Timeline Analysis information.

Autopsy is Graphic User Interface (GUI) for the command-line tool Sleuth Kit and is at the top level in the forensics world due to its integrity, versatility, easy-to-use nature,  and the ability to produce fast results. USB device forensics can be performed as easily on Autopsy as on any other paid tool.

FTK Imager

FTK Imager is another great tool used for the retrieval and acquisition of data from different types of images provided. FTK Imager also has the ability to make a bit-by-bit image copy, so that no other tool like dd or dcfldd is needed for this purpose. This copy of the drive includes all files and folders, the unallocated and free space, and the deleted files left in slack space or unallocated space. The basic goal here when performing forensic analysis on USB drives is to reconstruct or recreate the attack scenario.

We will now take a look at performing USB forensics analysis on a USB  image using the FTK Imager tool.

First, add the image file to FTK Imager by clicking File >> Add Evidence Item.

USB Forensics Forensics Linux Forensics Ebook

Now, select the type of file you want to import. In this case, it is an image file of a USB drive.

USB Forensics Forensics Linux Forensics Ebook

Now, enter the full location of the image file. Remember, you must provide a full path for this step. Click Finish to begin data acquisition, and let the FTK Imager do the job. After some time, the tool will provide the desired results.

Here, the first thing to do is to verify Image Integrity by right-clicking on the image name and selecting Verify Image. The tool will check for matching md5 or SHA1 hashes provided with the image information, and will also tell you whether the image has been tampered with before being imported into the FTK Imager tool.

USB Forensics Forensics Linux Forensics Ebook

Now, Export the given results to the path of your choice by right-clicking the image name and selecting the Export option to analyze it. The FTK Imager will create a full data log of the forensics process and will place these logs in the same folder as the image file.

Analysis

The recovered data can be in any format, such as tar, zip (for compressed files), png, jpeg, jpg (for image files), mp4, avi format (for video files), barcodes, pdfs, and other file formats. You should analyze the metadata of the given files and check for barcodes in the form of a QR Code. This can be in a png file and can be retrieved using the ZBAR tool. In most cases, docx and pdf files are used to hide statistical data, so they must be uncompressed. Kdbx files can be opened through Keepass; the password may have been stored in other recovered files, or we can perform bruteforce at any time.

Foremost

Foremost is a tool used to recover deleted files and folders from a drive image using headers and footers. We will take a look at Foremost’s man page to explore some powerful commands contained within this tool:

ubuntu@ubuntu:~$ man foremost

       -a     Enables write all headers, perform no error detection  in  terms


              of corrupted files.


       -b number


              Allows  you to specify the block size used in foremost.  This is


              relevant for file naming and quick  searches.   The  default  is


              512. ie.  foremost -b 1024 image.dd

      -q (quick mode) :


   Enables quick mode. In quick mode, only the start of each sector


              is searched  for  matching  headers.  That  is,  the  header  is


              searched  only  up to the length of the longest header. The rest


              of the sector, usually about 500 bytes, is  ignored.  This  mode


              makes  foremost run considerably faster, but it may cause you to


              miss files that are embedded in other files. For example,  using


              quick  mode you will not be able to find JPEG images embedded in


              Microsoft Word documents.

              Quick mode should not be used when examining NTFS file  systems.


              Because  NTFS  will store small files inside the Master File Ta‐


              ble, these files will be missed during quick mode.

       -a     Enables write all headers, perform no error detection  in  terms


              of corrupted files.


       -i (input) file :


              The  file  used with the i option is used as the input file.


    In the case that no input file is specified  stdin is used to c.

The  file  used with the i option is used as the input file.

In the case that no input file is specified  stdin is used to c.

To get the job done, we will use the following command :

ubuntu@ubuntu:~$ foremost usb.dd

After the process is complete, there will be a file in the /output folder named text containing the results.

Conclusion

USB drive forensics is a good skill to have to retrieve evidence and recover deleted files from a USB device, as well as to identify and examine what computer programs may have been used in the attack. Then, you may put together the steps the attacker may have taken to prove or disprove the claims made by the legitimate user or victim. To ensure that no one gets away with a cyber-crime involving USB data, USB forensics is an essential tool. USB devices contain key evidence in most forensics cases and sometimes, the forensics data obtained from a USB drive can help in recovering important and valuable personal data.

About the author

USB Forensics Forensics Linux Forensics Ebook

Usama Azad

A security enthusiast who loves Terminal and Open Source. My area of expertise is Python, Linux (Debian), Bash, Penetration testing, and Firewalls. I’m born and raised in Wazirabad, Pakistan and currently doing Undergraduation from National University of Science and Technology (NUST). On Twitter i go by @UsamaAzad14