Using USB Detective to Process Files/Folders

1) Run USB Detective and select “Select Files/Folders” from the opening window.

USB Detective Choose Input

2) Enter a case name, evidence number, and case folder. If a case folder is not entered, the directory from which USB Detective is running will be assigned as the case folder.

3) For each of the available artifacts, provide the path to an individual file or a folder containing the artifact(s) to be processed.  Any provided folders will be processed recursively.  NTUSER.DAT hives should be stored in a directory named by the account with which they are associated (e.g. Users\Jamie\NTUSER.DAT).  Registry transaction logs should be stored in the same directory as the primary hive with which they are associated.

TIP: If all artifacts are in the same top-level folder, you can specify the top-level folder path in the SYSTEM hive(s) location text box and use the rectangular button at the right of SYSTEM hive(s) text box to copy the path to all other artifact location text boxes. 

4) When processing completes, a statistics window will provide details on the number of files processed, devices identified, and more. If needed, reports can be created using the Report > Create Report menu. If the “Auto-Save Log” option is not enabled, it is recommended that the log be saved to the case folder using the File > Save Log function.

Want to see files/folders processing in action?  Check out the one-minute video tutorial here.

Questions or comments? Let us know at!