Recommended Setup Prior to Processing Logical Drive
- If processing a mounted forensic image, use mounting software such as Arsenal Image Mounter that will allow any existing volume shadow copies to be exposed.
Using USB Detective to Process Logical Drive
1) Run USB Detective and select “Select Logical Drive” from the opening window.
2) Enter a case name, evidence number, and case folder. If a case folder is not entered, the directory from which USB Detective is running will be assigned as the case folder.
3) Select the drive letter associated with the logical drive to be processed. To automatically parse and include all supported artifacts from volume shadow copies, simply leave the “Include Volume Shadow Copies” option checked. NOTE: The live system on which USB Detective is running is not included in the logical drive listing. To process a live system, use the “Live System Processing” option.
4) Click “Process Artifacts” to process the selected logical drive letter. USB Detective will recursively scan the selected logical volume and parse the available USB device artifacts from locations including the active system registry hives, backup registry hives, setupapi logs (including upgrade logs), user hives, event logs, Windows.old folder, and volume shadow copies (if the option is selected).
5) When processing completes, a statistics window will provide details on the number of files processed, devices identified, and more. If needed, reports can be created using the Report > Create Report menu. If the “Auto-Save Log” option is not enabled, it is recommended that the log be saved to the case folder using the File > Save Log function.
Want to see logical drive processing in action? Check out the one-minute video tutorial here.
Questions or comments? Let us know at support@usbdetective.com!