Windows 8 Forensics: USB Activity

When I started working on Windows 8 USB drive forensics, I assumed it would be pretty similar to Windows 7. I created a fresh Windows 8 VM and plugged a thumb drive into my local system. Like normal, the VM recognized it as it should. At this point I shut the VM down and opened it in EnCase to examine what happened. All of the findings were similar to Windows 7 USB forensics, and much like the recycle bin, proved nothing exciting.

Here are the results.

(The original post for this can be found on the Patrick Leahy Center for Digital Investigation blog.)

Mounted devices tab:


 Software\microsoft\windows portable devices\devices – friendly name link:


These keys are all the same as Windows 7, therefore it should be smooth sailing to continue producing USB activity results.

About the Author:

Ethan Fleisher is a Senior majoring in Computer and Digital Forensics at Champlain College. Originally from Carlisle, Pennsylvania, Ethan currently works as a Forensic Intern and System Administrator at the Senator Patrick Leahy Center for Digital Investigation where he is involved in real life investigation forensic analysis, network and system administration, and forensic research. Ethan has spent close to the last year researching the Microsoft Windows 8 OS with focus on revealing new artifacts and attempting to confirm previous methodologies.

(Guest post provided by Ethan Fleisher. Original article can be found at Champlain College and the author’s blog

3 thoughts on “Windows 8 Forensics: USB Activity”

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.