Recommended Setup Prior to Live System Processing
- Format a flash drive or external hard drive using NTFS
- Move the USB Detective executable and license file to the removable device
- Enable the “Auto-Save Log” option in the Tools > Options menu (this will also create a usbd.settings file in the same directory as the USB Detective executable)
Using USB Detective to Process a Live System
1) Connect the pre-configured removable device to the target system.
2) Run USB Detective from the pre-configured device and select “Process Live System” from the opening window.
3) Enter a case name, evidence number, and case folder. If a case folder is not entered, the directory from which USB Detective is running will be assigned as the case folder.
It is recommended to check the options for including volume shadow copies and automatically creating reports during live system processing (these are the default options). To modify one or more of the report settings, click “Show Reporting Options”. Any reports that are automatically created will be saved to the case folder. Click “Process System” to start processing the live system.
4) When processing completes, a statistics window will provide details on the number of files processed, devices identified, and more. If additional reports are required, they can be created using the Report > Create Report menu. If the “Auto-Save Log” option is not enabled, it is recommended that the log be saved to the case folder using the File > Save Log function. After all reports and the USB Detective log is saved, the destination drive can be removed from the target system.
Questions or comments? Let us know at support@usbdetective.com!