Tackling the U3 trend with computer forensics

https://doi.org/10.1016/j.diin.2006.12.001Get rights and content

Abstract

A new technology has emerged, allowing applications to be stored and run on portable devices, such as flash drives and iPods. Sandisk's U3™ smart technology appears to be becoming the standard in this new realm of portability. With the advent of this technology, questions are arising as to the effects it will have on computer forensic investigations. Probably hundreds of thousands of people have purchased devices with U3 or similar technologies already. The fear is that these people will be able to plug their devices into computers, do their misdeeds and then simply unplug those devices, removing any trace. This article will illustrate that this is not the case and will discuss different artifacts that a device such as this will leave behind. For the purposes of this illustration we have investigated the use of some of the most common applications used on U3 drives. This information will serve as a guide to investigating computer crimes perpetrated via U3 or similar technologies. Investigators must keep in mind during their investigations the possibility that their suspects have used such technology, particularly when their investigations seem to lead to a dead end.

Introduction

In the world of Digital Investigations we are constantly striving to keep up with technology. The U3™ smart technology is our latest challenge. Digital Investigations these days almost always involve a thumb drive, because individuals have the capability to introduce and remove files from a computer with relative ease. A thumb drive with U3 technology affords a user the ability to not only carry their files but their applications as well, without installing them on the host computer. This portability makes the task of investigating an incident much more difficult. In the past, if a user emailed a file via webmail, a cached webpage showing the name of the file attached could be found on the hard drive. If a user was to use Firefox® from their U3 thumb drive, the cache would be gone as soon as the user ejected and removed the drive.

This absence of data is alarming and creates several new challenges for an examiner. Typically in a corporate networking environment, users are not allowed to install their own applications for multiple reasons. The first and most obvious reason is security. Applications may be vulnerable and could cause a network to be compromised. U3 technology is able to circumvent an organization's current security, allowing employees to use their own applications without actually installing them on the organization's computer. This capability enables an individual to remove or transmit intellectual property (IP), and all of the forensic artifacts related to the IP, which would normally be found on the computer, would now be found only on the thumb drive.

U3 also poses a problem for law enforcement. When investigating a crime, all of the prosecutable evidence may only be found on the U3 device. An all too familiar example is a child pornography case. By using a mail client that is installed on the U3 device, the suspect can easily take their images and movies with them. The suspect would also have the ability to download files without having to set up applications on the computer being used. Instant messenger clients also afford the suspect the ability to communicate and trade content.

Although these devices may not leave a “smoking gun” on the host computer, they will leave behind a trail of forensic artifacts that can lead an investigator to the U3 device for further examination. Examining the use of a U3 device is no different than examining the use of a normal thumb drive, with the exception of some additional artifacts left behind by the applications installed on the device which will be discussed later.

There are several manufacturers that make U3 devices which can be found at a local computer or electronics store for under $100, making these devices readily available to the public. For the purposes of this article, a Memorex® 2 GB Mini TravelDrive™ with U3™ smart technology was used, which retails for about $85.

Section snippets

The four most popular applications available for download

  • 1.

    Firefox®, a free, extremely versatile (open source) web browser.

  • 2.

    Thunderbird, a free, extremely versatile (open source) email client.

  • 3.

    Trillian™, a multi-protocol Instant Messenger client.

  • 4.

    Skype, a Voice Over IP application (allows calls to a standard phone).

All four of these applications are free to download and, in most cases, come preinstalled on the U3™ device.

Device behavior

Any time a device is connected to a computer running the Windows XP operating system, multiple entries are made in the registry. The entries are necessary for the device to function. This is where an investigator can determine the vendor name, product name and product type of the U3 device he or she will need to obtain to further their investigation. When the U3 device was inserted into the computer the device presented itself as two separate devices. The first device is a CDROM drive labeled

Link files

When the “Explore U3 Drive” option is selected a link file is created in the “Recent” folder of the logged-in user's profile. In this case EnCase® V5 was used to parse the link file revealing the following:

Link file:C\Documents and Settings\JQP\Recent\U3Shortcut.lnk
Created date:10/13/06 10:00:41AM
Last written date:10/13/06 10:00:42AM
Last accessed date:10/13/06 12:00:00AM
Volume label:TravelDrive
Media type:Removable
Volume serial:D1 EC 1C 86
Base path:F:\Documents\U3Shortcut

This artifact

References (0)

Cited by (0)

View full text
Copyright © 2007 Elsevier Ltd. All rights reserved.