External Device Usage

There are many different types of external storage devices that can be connected to a computer system, but based on our extensive experience of conducting forensic examinations, by far the most common type of device is the common Universal Serial Bus (USB) drive.

Coming in many shapes and sizes, you can purchase a USB device that can hold around 64 Gigabytes (GB) for around $20 NZD. This is sufficiently large enough to copy your crown jewels with some space left over.

Should you need to conduct an investigation, the USB device history is often a fruitful source of evidence. Depending on the operating system and and type of USB device connected examples of artefacts that may be located include:

  • The type of device, potentially including the brand
  • Volume, or “friendly name”
  • Serial numbers
  • Dates of connection

Once the evidence about external devices has been established, we can then match other evidence of activity such as the USB drive being used to store confidential files, when the user access files from it.

It is important to not only forensically examine the computer system that the USB device was connected to, but to also copy and examine the actual USB device itself.  The examination of the computer system on its own, is unlikely to establish all of the files that were copied to or stored on a particular USB device. Only an examination of the device itself will determine that, along with any files that may have been deleted.

We commonly see that:

  • A ‘new’ USB device was connected for the ‘first time’ during a departing employee’s final week of employment.
  • USB devices are detected that were never returned to an employer at the conclusion of employment.
  • USB devices are used to copy, without authorisation, thousands of files containing confidential information. These USB devices often are not encrypted, so the loss of them would have implications under the New Zealand Privacy Act 2020.
  • A new employee may bring a USB device to your workplace, and copy across data that has taken without authorisation. Such copying may put your business at risk of potential legal action.